Use mysql_real_escape_string instead of mysql_escape string.

This is not exploitable as far as I know but it is probably best
that we use the newer function just in case.

Closes #649 (although the attack mentioned in that issue was not
feasible).

diff --git a/src/modules/extra/m_mysql.cpp b/src/modules/extra/m_mysql.cpp
index 0a7d4d993ce6d78a4e5c91d7d86e15fa004bac4d..9f17c142662b9573d6bf7ba59926ac386097ee54 100644 (file)
--- a/src/modules/extra/m_mysql.cpp
+++ b/src/modules/extra/m_mysql.cpp
@@ -356,10 +356,9 @@ class SQLConnection : public SQL::Provider
                                        // and one byte is the terminating null
                                        std::vector<char> buffer(parm.length() * 2 + 1);
 
-                                       // The return value of mysql_escape_string() is the length of the encoded string,
+                                       // The return value of mysql_real_escape_string() is the length of the encoded string,
                                        // not including the terminating null
-                                       unsigned long escapedsize = mysql_escape_string(&buffer[0], parm.c_str(), parm.length());
-//                                     mysql_real_escape_string(connection, queryend, paramscopy[paramnum].c_str(), paramscopy[paramnum].length());
+                                       unsigned long escapedsize = mysql_real_escape_string(connection, &buffer[0], parm.c_str(), parm.length());
                                        res.append(&buffer[0], escapedsize);
                                }
                        }