From 383fbd25c8f0ef3840378d6a15eb6e6c5c45bcdd Mon Sep 17 00:00:00 2001 From: alexkar598 <25136265+alexkar598@users.noreply.github.com> Date: Mon, 3 Feb 2020 22:21:12 -0500 Subject: [PATCH] Casually removes the ability for admins to do SQL injection and destroy yogstation --- code/controllers/subsystem/achievements.dm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/code/controllers/subsystem/achievements.dm b/code/controllers/subsystem/achievements.dm index 2119f9c2e20c..5d95e9885b86 100644 --- a/code/controllers/subsystem/achievements.dm +++ b/code/controllers/subsystem/achievements.dm @@ -11,14 +11,14 @@ SUBSYSTEM_DEF(achievements) var/datum/achievement/A = new i achievements[A] = A.id - var/datum/DBQuery/medalQuery = SSdbcore.NewQuery("SELECT name, descr FROM [format_table_name("achievements")] WHERE id = '[A.id]'") + var/datum/DBQuery/medalQuery = SSdbcore.NewQuery("SELECT name, descr FROM [format_table_name("achievements")] WHERE id = '[sanitizeSQL(A.id)]'") medalQuery.Execute() if(!medalQuery.NextRow()) - var/datum/DBQuery/medalQuery2 = SSdbcore.NewQuery("INSERT INTO [format_table_name("achievements")] (name, id, descr) VALUES ('[A.name]', '[A.id]', '[A.desc]')") + var/datum/DBQuery/medalQuery2 = SSdbcore.NewQuery("INSERT INTO [format_table_name("achievements")] (name, id, descr) VALUES ('[sanitizeSQL(A.name)]', '[sanitizeSQL(A.id)]', '[sanitizeSQL(A.desc)]')") medalQuery2.Execute() qdel(medalQuery2) else if(medalQuery.item[1] != A.name || medalQuery.item[2] != A.desc) - var/datum/DBQuery/medalQuery2 = SSdbcore.NewQuery("UPDATE [format_table_name("achievements")] SET name = '[A.name]', descr = '[A.desc]' WHERE id = '[A.id]'") + var/datum/DBQuery/medalQuery2 = SSdbcore.NewQuery("UPDATE [format_table_name("achievements")] SET name = '[sanitizeSQL(A.name)]', descr = '[sanitizeSQL(A.desc)]' WHERE id = '[sanitizeSQL(A.id)]'") medalQuery2.Execute() qdel(medalQuery2) @@ -37,9 +37,9 @@ SUBSYSTEM_DEF(achievements) found_achievement = TRUE if(!found_achievement) log_sql("Old achievement [id] found in database, removing") - var/datum/DBQuery/getRidOfOldStuff = SSdbcore.NewQuery("DELETE FROM [format_table_name("achievements")] WHERE id = '[id]'") + var/datum/DBQuery/getRidOfOldStuff = SSdbcore.NewQuery("DELETE FROM [format_table_name("achievements")] WHERE id = '[sanitizeSQL(id)]'") getRidOfOldStuff.Execute() - var/datum/DBQuery/ridTheOtherTableAsWell = SSdbcore.NewQuery("DELETE FROM [format_table_name("earned_achievements")] WHERE id = '[id]'") + var/datum/DBQuery/ridTheOtherTableAsWell = SSdbcore.NewQuery("DELETE FROM [format_table_name("earned_achievements")] WHERE id = '[sanitizeSQL(id)]'") ridTheOtherTableAsWell.Execute() qdel(ridTheOtherTableAsWell) qdel(getRidOfOldStuff) @@ -55,7 +55,7 @@ SUBSYSTEM_DEF(achievements) if(istype(achievement,/datum/achievement/greentext) && achievementPath != /datum/achievement/greentext) unlock_achievement(/datum/achievement/greentext,C) // Oooh, a little bit recursive! if(!has_achievement(achievementPath, C)) - var/datum/DBQuery/medalQuery = SSdbcore.NewQuery("INSERT INTO [format_table_name("earned_achievements")] (ckey, id) VALUES ('[C.ckey]', '[achievement.id]')") + var/datum/DBQuery/medalQuery = SSdbcore.NewQuery("INSERT INTO [format_table_name("earned_achievements")] (ckey, id) VALUES ('[sanitizeSQL(C.ckey)]', '[sanitizeSQL(achievement.id)]')") medalQuery.Execute() qdel(medalQuery) cached_achievements[C.ckey] += achievement @@ -76,7 +76,7 @@ SUBSYSTEM_DEF(achievements) return (achievement in cached_achievements[C.ckey]) /datum/controller/subsystem/achievements/proc/cache_achievements(client/C) - var/datum/DBQuery/cacheQuery = SSdbcore.NewQuery("SELECT id FROM [format_table_name("earned_achievements")] WHERE ckey = '[C.ckey]'") + var/datum/DBQuery/cacheQuery = SSdbcore.NewQuery("SELECT id FROM [format_table_name("earned_achievements")] WHERE ckey = '[sanitizeSQL(C.ckey)]'") cacheQuery.Execute() cached_achievements[C.ckey] = list() while(cacheQuery.NextRow())