diff --git a/core/smn_database.cpp b/core/smn_database.cpp index b53a271e..34f30f5c 100644 --- a/core/smn_database.cpp +++ b/core/smn_database.cpp @@ -1271,6 +1271,7 @@ REGISTER_NATIVES(dbNatives) {"SQL_CheckConfig", SQL_CheckConfig}, {"SQL_Connect", SQL_Connect}, {"SQL_ConnectEx", SQL_ConnectEx}, + {"SQL_EscapeString", SQL_QuoteString}, {"SQL_Execute", SQL_Execute}, {"SQL_FastQuery", SQL_FastQuery}, {"SQL_FetchFloat", SQL_FetchFloat}, diff --git a/plugins/admin-sql-threaded.sp b/plugins/admin-sql-threaded.sp index d5094eb0..601acd18 100644 --- a/plugins/admin-sql-threaded.sp +++ b/plugins/admin-sql-threaded.sp @@ -484,7 +484,7 @@ FetchUser(Handle:db, client) } } - SQL_QuoteString(db, name, safe_name, sizeof(safe_name)); + SQL_EscapeString(db, name, safe_name, sizeof(safe_name)); /** * Construct the query using the information the user gave us. diff --git a/plugins/include/dbi.inc b/plugins/include/dbi.inc index c61ac0ce..cba44810 100644 --- a/plugins/include/dbi.inc +++ b/plugins/include/dbi.inc @@ -235,8 +235,14 @@ native SQL_GetInsertId(Handle:hndl); native bool:SQL_GetError(Handle:hndl, String:error[], maxlength); /** - * Quotes a database string for literal insertion. This is not needed - * for binding strings in prepared statements. + * Escapes a database string for literal insertion. This is not needed + * for binding strings in prepared statements. + * + * Generally, database strings are inserted into queries enclosed in + * single quotes ('). If user input has a single quote in it, the + * quote needs to be escaped. This function ensures that any unsafe + * characters are safely escaped according to the database engine and + * the database's character set. * * @param hndl A database Handle. * @param string String to quote. @@ -247,7 +253,24 @@ native bool:SQL_GetError(Handle:hndl, String:error[], maxlength); * The buffer must be at least 2*strlen(string)+1. * @error Invalid database or statement Handle. */ -native bool:SQL_QuoteString(Handle:database, const String:string[], String:buffer[], maxlength, &written=0); +native bool:SQL_EscapeString(Handle:database, + const String:string[], + String:buffer[], + maxlength, + &written=0); + +/** + * This is a backwards compatibility stock. You should use SQL_EscapeString() + * instead, as this function will probably be deprecated in SourceMod 1.1. + */ +stock bool:SQL_QuoteString(Handle:database, + const String:string[], + String:buffer[], + maxlength, + &written=0) +{ + return SQL_EscapeString(database, string, buffer, maxlength, written); +} /** * Executes a query and ignores the result set. diff --git a/plugins/sql-admin-manager.sp b/plugins/sql-admin-manager.sp index 33d1bcb0..587ea1e6 100644 --- a/plugins/sql-admin-manager.sp +++ b/plugins/sql-admin-manager.sp @@ -417,7 +417,7 @@ public Action:Command_SetAdminGroups(client, args) decl String:identity[65]; decl String:safe_identity[140]; GetCmdArg(2, identity, sizeof(identity)); - SQL_QuoteString(db, identity, safe_identity, sizeof(safe_identity)); + SQL_EscapeString(db, identity, safe_identity, sizeof(safe_identity)); decl String:query[255]; Format(query, @@ -541,9 +541,9 @@ public Action:Command_DelGroup(client, args) if (len > 1 && (name[0] == '"' && name[len-1] == '"')) { name[--len] = '\0'; - SQL_QuoteString(db, name[1], safe_name, sizeof(safe_name)); + SQL_EscapeString(db, name[1], safe_name, sizeof(safe_name)); } else { - SQL_QuoteString(db, name, safe_name, sizeof(safe_name)); + SQL_EscapeString(db, name, safe_name, sizeof(safe_name)); } decl String:query[256]; @@ -632,7 +632,7 @@ public Action:Command_AddGroup(client, args) decl String:name[64]; decl String:safe_name[64]; GetCmdArg(1, name, sizeof(name)); - SQL_QuoteString(db, name, safe_name, sizeof(safe_name)); + SQL_EscapeString(db, name, safe_name, sizeof(safe_name)); new Handle:hQuery; decl String:query[256]; @@ -655,7 +655,7 @@ public Action:Command_AddGroup(client, args) decl String:flags[30]; decl String:safe_flags[64]; GetCmdArg(2, flags, sizeof(safe_flags)); - SQL_QuoteString(db, flags, safe_flags, sizeof(safe_flags)); + SQL_EscapeString(db, flags, safe_flags, sizeof(safe_flags)); Format(query, sizeof(query), @@ -706,7 +706,7 @@ public Action:Command_DelAdmin(client, args) decl String:identity[65]; decl String:safe_identity[140]; GetCmdArg(2, identity, sizeof(identity)); - SQL_QuoteString(db, identity, safe_identity, sizeof(safe_identity)); + SQL_EscapeString(db, identity, safe_identity, sizeof(safe_identity)); decl String:query[255]; Format(query, @@ -798,7 +798,7 @@ public Action:Command_AddAdmin(client, args) return Plugin_Handled; } - SQL_QuoteString(db, identity, safe_identity, sizeof(safe_identity)); + SQL_EscapeString(db, identity, safe_identity, sizeof(safe_identity)); Format(query, sizeof(query), "SELECT id FROM sm_admins WHERE authtype = '%s' AND identity = '%s'", authtype, identity); if ((hQuery = SQL_Query(db, query)) == INVALID_HANDLE) @@ -819,19 +819,19 @@ public Action:Command_AddAdmin(client, args) decl String:alias[64]; decl String:safe_alias[140]; GetCmdArg(1, alias, sizeof(alias)); - SQL_QuoteString(db, alias, safe_alias, sizeof(safe_alias)); + SQL_EscapeString(db, alias, safe_alias, sizeof(safe_alias)); decl String:flags[30]; decl String:safe_flags[64]; GetCmdArg(4, flags, sizeof(flags)); - SQL_QuoteString(db, flags, safe_flags, sizeof(safe_flags)); + SQL_EscapeString(db, flags, safe_flags, sizeof(safe_flags)); decl String:password[32]; decl String:safe_password[80]; if (args > 4) { GetCmdArg(5, password, sizeof(password)); - SQL_QuoteString(db, password, safe_password, sizeof(safe_password)); + SQL_EscapeString(db, password, safe_password, sizeof(safe_password)); } else { safe_password[0] = '\0'; }