Use mysql_real_escape_string instead of mysql_escape string.

This is not exploitable as far as I know but it is probably best that we use the newer function just in case. Closes #649 (although the attack mentioned in that issue was not feasible).
author: Peter Powell <petpow@saberuk.com> 2018-07-15 14:11:04 +0100
committer: Peter Powell <petpow@saberuk.com> 2018-07-15 14:15:35 +0100
commit: d0dac3a2751e5b5edadf3befa8259f9902b9450b (patch)
tree: 8608990a677c14e2bd3f9d7847ad37c7e4c0acd5 /src/modules/extra
parent: 227484c6c068eee8251cc4f13a0676bd8b2ecc8d (diff)
1 files changed, 2 insertions, 3 deletions
diff --git a/src/modules/extra/m_mysql.cpp b/src/modules/extra/m_mysql.cpp
index 0a7d4d993..9f17c1426 100644
--- a/src/modules/extra/m_mysql.cpp
+++ b/src/modules/extra/m_mysql.cpp
@@ -356,10 +356,9 @@ class SQLConnection : public SQL::Provider
 					// and one byte is the terminating null
 					std::vector<char> buffer(parm.length() * 2 + 1);
 
-					// The return value of mysql_escape_string() is the length of the encoded string,
+					// The return value of mysql_real_escape_string() is the length of the encoded string,
 					// not including the terminating null
-					unsigned long escapedsize = mysql_escape_string(&buffer[0], parm.c_str(), parm.length());
-//					mysql_real_escape_string(connection, queryend, paramscopy[paramnum].c_str(), paramscopy[paramnum].length());
+					unsigned long escapedsize = mysql_real_escape_string(connection, &buffer[0], parm.c_str(), parm.length());
 					res.append(&buffer[0], escapedsize);
 				}
 			}
author	Peter Powell <petpow@saberuk.com>	2018-07-15 14:11:04 +0100
committer	Peter Powell <petpow@saberuk.com>	2018-07-15 14:15:35 +0100
commit	d0dac3a2751e5b5edadf3befa8259f9902b9450b (patch)
tree	8608990a677c14e2bd3f9d7847ad37c7e4c0acd5 /src/modules/extra
parent	227484c6c068eee8251cc4f13a0676bd8b2ecc8d (diff)