diff options
author | Peter Powell <petpow@saberuk.com> | 2018-07-15 14:11:04 +0100 |
---|---|---|
committer | Peter Powell <petpow@saberuk.com> | 2018-07-15 14:15:35 +0100 |
commit | d0dac3a2751e5b5edadf3befa8259f9902b9450b (patch) | |
tree | 8608990a677c14e2bd3f9d7847ad37c7e4c0acd5 /src | |
parent | 227484c6c068eee8251cc4f13a0676bd8b2ecc8d (diff) |
Use mysql_real_escape_string instead of mysql_escape string.
This is not exploitable as far as I know but it is probably best
that we use the newer function just in case.
Closes #649 (although the attack mentioned in that issue was not
feasible).
Diffstat (limited to 'src')
-rw-r--r-- | src/modules/extra/m_mysql.cpp | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/modules/extra/m_mysql.cpp b/src/modules/extra/m_mysql.cpp index 0a7d4d993..9f17c1426 100644 --- a/src/modules/extra/m_mysql.cpp +++ b/src/modules/extra/m_mysql.cpp @@ -356,10 +356,9 @@ class SQLConnection : public SQL::Provider // and one byte is the terminating null std::vector<char> buffer(parm.length() * 2 + 1); - // The return value of mysql_escape_string() is the length of the encoded string, + // The return value of mysql_real_escape_string() is the length of the encoded string, // not including the terminating null - unsigned long escapedsize = mysql_escape_string(&buffer[0], parm.c_str(), parm.length()); -// mysql_real_escape_string(connection, queryend, paramscopy[paramnum].c_str(), paramscopy[paramnum].length()); + unsigned long escapedsize = mysql_real_escape_string(connection, &buffer[0], parm.c_str(), parm.length()); res.append(&buffer[0], escapedsize); } } |