BUg guild with duplicate name

[MORTE 78]

Help fix? 

[ahmedhaies 50]

make new system to guild 

[Kirito 2]

2 minutes ago, ahmedhaies said:

make new system to guild 

You should help him or give a fix not saying Shits dude

[ahmedhaies 50]

deleted 

Because of the Mufti of the Republic

misterioso

[misterioso 5]

Have you used any fix for "injection" in guild_manager.cpp ?

If yes the problem is in CGuildManager::CreateGuild because the input is already checked by function check_name and you don't need any"fix".

[MORTE 78]

Yes.

 

DWORD CGuildManager::CreateGuild(TGuildCreateParameter& gcp)
{
    if (!gcp.master)
        return 0;

    if (!check_name(gcp.name))
    {
        gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<±æµå> ±æµå À̸§ÀÌ ÀûÇÕÇÏÁö ¾Ê½À´Ï´Ù."));
        return 0;
    }
    
    static char __escape_name[GUILD_NAME_MAX_LEN * 2 + 1];
        DBManager::instance().EscapeString(__escape_name, sizeof(__escape_name), static_cast<const char *>(gcp.name), sizeof(gcp.name));
    
    std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), __escape_name));

    if (pmsg->Get()->uiNumRows > 0)
    {
        MYSQL_ROW row = mysql_fetch_row(pmsg->Get()->pSQLResult);

        if (!(row[0] && row[0][0] == '0'))
        {
            gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<±æµå> ÀÌ¹Ì °°Àº À̸§ÀÇ ±æµå°¡ ÀÖ½À´Ï´Ù."));
            return 0;
        }
    }
    else
    {
        gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<±æµå> ±æµå¸¦ »ý¼ºÇÒ ¼ö ¾ø½À´Ï´Ù."));
        return 0;
    }

    // new CGuild(gcp) queries guild tables and tell dbcache to notice other game servers.
    // other game server calls CGuildManager::LoadGuild to load guild.
    CGuild * pg = M2_NEW CGuild(gcp);
    m_mapGuild.insert(std::make_pair(pg->GetID(), pg));
    return pg->GetID();
}

[misterioso 5]

28 minutes ago, MORTE said:

Yes.

 

DWORD CGuildManager::CreateGuild(TGuildCreateParameter& gcp)
{

[...]

    static char __escape_name[GUILD_NAME_MAX_LEN * 2 + 1];
        DBManager::instance().EscapeString(__escape_name, sizeof(__escape_name), static_cast<const char *>(gcp.name), sizeof(gcp.name));
    
    std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), __escape_name));

[...]

}

This is not necessary because the function "check_name" already check if is an alphanumeric data.

So you can use the "normal version":

std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), gcp.name));

 

[MORTE 78]

19 hours ago, misterioso said:

This is not necessary because the function "check_name" already check if is an alphanumeric data.

So you can use the "normal version":

std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
                get_table_postfix(), gcp.name));

 

Even with this change, SQL injection remains fixed?

[misterioso 5]

Yes because the input is already checked:

 if (!check_name(gcp.name))
    {
        gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<±æµå> ±æµå À̸§ÀÌ ÀûÇÕÇÏÁö ¾Ê½À´Ï´Ù."));
        return 0;
    }

[MORTE 78]

thank!