From e4450610dabc8e4e05ade4ad854d6024d34199d7 Mon Sep 17 00:00:00 2001
From: David Anderson <dvander@alliedmods.net>
Date: Fri, 22 Feb 2008 02:23:17 +0000
Subject: [PATCH] amb1443 - SQL_QuoteString -> SQL_EscapeString
--HG--
extra : convert_revision : svn%3A39bc706e-5318-0410-9160-8a85361fbb7c/trunk%401880
---
core/smn_database.cpp | 1 +
plugins/admin-sql-threaded.sp | 2 +-
plugins/include/dbi.inc | 29 ++++++++++++++++++++++++++---
plugins/sql-admin-manager.sp | 20 ++++++++++----------
4 files changed, 38 insertions(+), 14 deletions(-)
diff --git a/core/smn_database.cpp b/core/smn_database.cpp
index b53a271e..34f30f5c 100644
--- a/core/smn_database.cpp
+++ b/core/smn_database.cpp
@@ -1271,6 +1271,7 @@ REGISTER_NATIVES(dbNatives)
{"SQL_CheckConfig", SQL_CheckConfig},
{"SQL_Connect", SQL_Connect},
{"SQL_ConnectEx", SQL_ConnectEx},
+ {"SQL_EscapeString", SQL_QuoteString},
{"SQL_Execute", SQL_Execute},
{"SQL_FastQuery", SQL_FastQuery},
{"SQL_FetchFloat", SQL_FetchFloat},
diff --git a/plugins/admin-sql-threaded.sp b/plugins/admin-sql-threaded.sp
index d5094eb0..601acd18 100644
--- a/plugins/admin-sql-threaded.sp
+++ b/plugins/admin-sql-threaded.sp
@@ -484,7 +484,7 @@ FetchUser(Handle:db, client)
}
}
- SQL_QuoteString(db, name, safe_name, sizeof(safe_name));
+ SQL_EscapeString(db, name, safe_name, sizeof(safe_name));
/**
* Construct the query using the information the user gave us.
diff --git a/plugins/include/dbi.inc b/plugins/include/dbi.inc
index c61ac0ce..cba44810 100644
--- a/plugins/include/dbi.inc
+++ b/plugins/include/dbi.inc
@@ -235,8 +235,14 @@ native SQL_GetInsertId(Handle:hndl);
native bool:SQL_GetError(Handle:hndl, String:error[], maxlength);
/**
- * Quotes a database string for literal insertion. This is not needed
- * for binding strings in prepared statements.
+ * Escapes a database string for literal insertion. This is not needed
+ * for binding strings in prepared statements.
+ *
+ * Generally, database strings are inserted into queries enclosed in
+ * single quotes ('). If user input has a single quote in it, the
+ * quote needs to be escaped. This function ensures that any unsafe
+ * characters are safely escaped according to the database engine and
+ * the database's character set.
*
* @param hndl A database Handle.
* @param string String to quote.
@@ -247,7 +253,24 @@ native bool:SQL_GetError(Handle:hndl, String:error[], maxlength);
* The buffer must be at least 2*strlen(string)+1.
* @error Invalid database or statement Handle.
*/
-native bool:SQL_QuoteString(Handle:database, const String:string[], String:buffer[], maxlength, &written=0);
+native bool:SQL_EscapeString(Handle:database,
+ const String:string[],
+ String:buffer[],
+ maxlength,
+ &written=0);
+
+/**
+ * This is a backwards compatibility stock. You should use SQL_EscapeString()
+ * instead, as this function will probably be deprecated in SourceMod 1.1.
+ */
+stock bool:SQL_QuoteString(Handle:database,
+ const String:string[],
+ String:buffer[],
+ maxlength,
+ &written=0)
+{
+ return SQL_EscapeString(database, string, buffer, maxlength, written);
+}
/**
* Executes a query and ignores the result set.
diff --git a/plugins/sql-admin-manager.sp b/plugins/sql-admin-manager.sp
index 33d1bcb0..587ea1e6 100644
--- a/plugins/sql-admin-manager.sp
+++ b/plugins/sql-admin-manager.sp
@@ -417,7 +417,7 @@ public Action:Command_SetAdminGroups(client, args)
decl String:identity[65];
decl String:safe_identity[140];
GetCmdArg(2, identity, sizeof(identity));
- SQL_QuoteString(db, identity, safe_identity, sizeof(safe_identity));
+ SQL_EscapeString(db, identity, safe_identity, sizeof(safe_identity));
decl String:query[255];
Format(query,
@@ -541,9 +541,9 @@ public Action:Command_DelGroup(client, args)
if (len > 1 && (name[0] == '"' && name[len-1] == '"'))
{
name[--len] = '\0';
- SQL_QuoteString(db, name[1], safe_name, sizeof(safe_name));
+ SQL_EscapeString(db, name[1], safe_name, sizeof(safe_name));
} else {
- SQL_QuoteString(db, name, safe_name, sizeof(safe_name));
+ SQL_EscapeString(db, name, safe_name, sizeof(safe_name));
}
decl String:query[256];
@@ -632,7 +632,7 @@ public Action:Command_AddGroup(client, args)
decl String:name[64];
decl String:safe_name[64];
GetCmdArg(1, name, sizeof(name));
- SQL_QuoteString(db, name, safe_name, sizeof(safe_name));
+ SQL_EscapeString(db, name, safe_name, sizeof(safe_name));
new Handle:hQuery;
decl String:query[256];
@@ -655,7 +655,7 @@ public Action:Command_AddGroup(client, args)
decl String:flags[30];
decl String:safe_flags[64];
GetCmdArg(2, flags, sizeof(safe_flags));
- SQL_QuoteString(db, flags, safe_flags, sizeof(safe_flags));
+ SQL_EscapeString(db, flags, safe_flags, sizeof(safe_flags));
Format(query,
sizeof(query),
@@ -706,7 +706,7 @@ public Action:Command_DelAdmin(client, args)
decl String:identity[65];
decl String:safe_identity[140];
GetCmdArg(2, identity, sizeof(identity));
- SQL_QuoteString(db, identity, safe_identity, sizeof(safe_identity));
+ SQL_EscapeString(db, identity, safe_identity, sizeof(safe_identity));
decl String:query[255];
Format(query,
@@ -798,7 +798,7 @@ public Action:Command_AddAdmin(client, args)
return Plugin_Handled;
}
- SQL_QuoteString(db, identity, safe_identity, sizeof(safe_identity));
+ SQL_EscapeString(db, identity, safe_identity, sizeof(safe_identity));
Format(query, sizeof(query), "SELECT id FROM sm_admins WHERE authtype = '%s' AND identity = '%s'", authtype, identity);
if ((hQuery = SQL_Query(db, query)) == INVALID_HANDLE)
@@ -819,19 +819,19 @@ public Action:Command_AddAdmin(client, args)
decl String:alias[64];
decl String:safe_alias[140];
GetCmdArg(1, alias, sizeof(alias));
- SQL_QuoteString(db, alias, safe_alias, sizeof(safe_alias));
+ SQL_EscapeString(db, alias, safe_alias, sizeof(safe_alias));
decl String:flags[30];
decl String:safe_flags[64];
GetCmdArg(4, flags, sizeof(flags));
- SQL_QuoteString(db, flags, safe_flags, sizeof(safe_flags));
+ SQL_EscapeString(db, flags, safe_flags, sizeof(safe_flags));
decl String:password[32];
decl String:safe_password[80];
if (args > 4)
{
GetCmdArg(5, password, sizeof(password));
- SQL_QuoteString(db, password, safe_password, sizeof(safe_password));
+ SQL_EscapeString(db, password, safe_password, sizeof(safe_password));
} else {
safe_password[0] = '\0';
}