diff --git a/extensions/clientprefs/query.cpp b/extensions/clientprefs/query.cpp index 0775ed17..61f112fc 100644 --- a/extensions/clientprefs/query.cpp +++ b/extensions/clientprefs/query.cpp @@ -175,7 +175,7 @@ bool TQueryOp::BindParamsAndRun() UTIL_Format(query, sizeof(query), "INSERT OR IGNORE INTO sm_cookies (name, description, access) \ - VALUES (\"%s\", \"%s\", %d)", + VALUES ('%s', '%s', %d)", safe_name, safe_desc, m_params.cookie->access); @@ -204,7 +204,7 @@ bool TQueryOp::BindParamsAndRun() FROM sm_cookies \ JOIN sm_cookie_cache \ ON sm_cookies.id = sm_cookie_cache.cookie_id \ - WHERE player = \"%s\"", + WHERE player = '%s'", safe_str); m_pResult = m_database->DoQuery(query); @@ -247,7 +247,7 @@ bool TQueryOp::BindParamsAndRun() sizeof(query), "INSERT OR REPLACE INTO sm_cookie_cache \ (player, cookie_id, value, timestamp) \ - VALUES (\"%s\", %d, \"%s\", %d)", + VALUES ('%s', %d, '%s', %d)", safe_id, m_params.cookieId, safe_val, @@ -276,7 +276,7 @@ bool TQueryOp::BindParamsAndRun() UTIL_Format(query, sizeof(query), - "SELECT id FROM sm_cookies WHERE name = \"%s\"", + "SELECT id FROM sm_cookies WHERE name = '%s'", safe_name); m_pResult = m_database->DoQuery(query); diff --git a/plugins/include/dbi.inc b/plugins/include/dbi.inc index d32b14e4..34e619d5 100644 --- a/plugins/include/dbi.inc +++ b/plugins/include/dbi.inc @@ -288,6 +288,10 @@ native bool:SQL_GetError(Handle:hndl, String:error[], maxlength); * characters are safely escaped according to the database engine and * the database's character set. * + * NOTE: SourceMod only guarantees properly escaped strings when the query + * encloses the string in ''. While drivers tend to allow " instead, the string + * may be not be escaped (for example, on SQLite)! + * * @param hndl A database Handle. * @param string String to quote. * @param buffer Buffer to store quoted string in. diff --git a/plugins/testsuite/clientprefstest.sp b/plugins/testsuite/clientprefstest.sp index 45e58165..812bf7e0 100644 --- a/plugins/testsuite/clientprefstest.sp +++ b/plugins/testsuite/clientprefstest.sp @@ -9,14 +9,14 @@ new Handle:g_Cookie5; public OnPluginStart() { - g_Cookie = RegClientCookie("test-cookie", "A basic testing cookie", CookieAccess_Public); - g_Cookie2 = RegClientCookie("test-cookie2", "A basic testing cookie", CookieAccess_Protected); + g_Cookie = RegClientCookie("test-cookie'", "A basic 'testing cookie", CookieAccess_Public); + g_Cookie2 = RegClientCookie("test-cookie2\"", "\"A basic testing cookie", CookieAccess_Protected); g_Cookie3 = RegClientCookie("test-cookie3", "A basic testing cookie", CookieAccess_Public); g_Cookie4 = RegClientCookie("test-cookie4", "A basic testing cookie", CookieAccess_Private); g_Cookie5 = RegClientCookie("test-cookie5", "A basic testing cookie", CookieAccess_Public); - SetCookiePrefabMenu(g_Cookie, CookieMenu_YesNo, "Cookie 1", CookieSelected, any:g_Cookie); + SetCookiePrefabMenu(g_Cookie, CookieMenu_YesNo, "Cookie '1", CookieSelected, any:g_Cookie); SetCookiePrefabMenu(g_Cookie2, CookieMenu_YesNo_Int, "Cookie 2"); SetCookiePrefabMenu(g_Cookie3, CookieMenu_OnOff, "Cookie 3"); SetCookiePrefabMenu(g_Cookie4, CookieMenu_OnOff_Int, "Cookie 4"); @@ -55,7 +55,7 @@ public OnClientCookiesCached(client) new String:hi[100]; GetClientCookie(client, g_Cookie, hi, sizeof(hi)); LogMessage("Test: %s",hi); - SetClientCookie(client, g_Cookie, "somethingsomething"); + SetClientCookie(client, g_Cookie, "somethingsomething'"); GetClientCookie(client, g_Cookie, hi, sizeof(hi)); LogMessage("Test: %s",hi); }