Hercules Elf Bot - Mar 17, 2012 9:47
Originally posted by [b]Stingor[/b]
Hi, into \src\login\loginlog_sql.c
[CODE]void login_log(uint32 ip, const char* username, int rcode, const char* message)
{
char esc_username[NAME_LENGTH*2+1];
char esc_message[255*2+1];
int retcode;
if( !enabled )
return;
Sql_EscapeStringLen(sql_handle, esc_username, username, strnlen(username, NAME_LENGTH));
Sql_EscapeStringLen(sql_handle, esc_message, message, strnlen(message, 255));
retcode = Sql_Query(sql_handle,
"INSERT INTO `%s`(`time`,`ip`,`user`,`rcode`,`log`) VALUES (NOW(), '%s', '%s', '%d', '%s')",
log_login_db, ip2str(ip,NULL), esc_username, rcode, message);
if( retcode != SQL_SUCCESS )
Sql_ShowDebug(sql_handle);
}[/CODE]
here "esc_username, rcode, [color=#b22222]message[/color]);" it's not better to put esc_message ?
This post has been edited by
Stingor
on Mar 17, 2012 10:26
Hercules Elf Bot - Mar 17, 2012 13:04
Originally posted by [b]MarkZD[/b]
Apparently the code is scaping sql injection from message and putting this scaped value into esc_message, but it's saving the pure message value into the table, what could cause sql injections, so you're right, it should be esc_message.
But as this message should be a system message, it wouldn't happen, in any case it better to switch to esc_message.
This post has been edited by
MarkZD
on Mar 17, 2012 13:07
Hercules Elf Bot - Mar 17, 2012 21:45
Originally posted by [b]Ind[/b]
Fixed in [rev=15703]