misterioso

Yes because the input is already checked:

 if (!check_name(gcp.name))
    {
        gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<±æµå> ±æµå À̸§ÀÌ ÀûÇÕÇÏÁö ¾Ê½À´Ï´Ù."));
        return 0;
    }

28 minutes ago, MORTE said:

Yes.

 

DWORD CGuildManager::CreateGuild(TGuildCreateParameter& gcp)
{

[...]

    static char __escape_name[GUILD_NAME_MAX_LEN * 2 + 1];
        DBManager::instance().EscapeString(__escape_name, sizeof(__escape_name), static_cast<const char *>(gcp.name), sizeof(gcp.name));
    
    std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), __escape_name));

[...]

}

This is not necessary because the function "check_name" already check if is an alphanumeric data.

So you can use the "normal version":

std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), gcp.name));

Have you used any fix for "injection" in guild_manager.cpp ?

If yes the problem is in CGuildManager::CreateGuild because the input is already checked by function check_name and you don't need any"fix".

I'm happy... Finally someone appreciates my small tool... >.<

In the original forum nobody said anything about it and for this reason I didn't post in other forums.

Thank you for sharing,

Misterioso

UP...

We're waiting you

Dear users,

Monday 18.07.2016 at 16:00 (CEST) ----> Kill4Fun, a semi FunPvP, started.

Useful Information:
WebSite: https://kill4fun.xyz
Forum: https://kill4fun.xyz/forum
Support E-Mail: [email protected]

Download client:

• Mega
• Mediafire

Presentation (95% translated from italian):

Kind Regards,

Misterioso