From 4796b551addd73395f87a10baf1309664127b78f Mon Sep 17 00:00:00 2001 From: TheMatt2 Date: Thu, 6 Jan 2022 16:05:03 -0500 Subject: [PATCH] Additional SQLite lookup sanitizing with CDClientDatabase::ExecuteQueryWithArgs() --- dDatabase/Tables/CDBehaviorParameterTable.cpp | 8 +++----- dGame/dComponents/RenderComponent.cpp | 14 ++++++-------- dGame/dInventory/ItemSet.cpp | 16 ++++++---------- 3 files changed, 15 insertions(+), 23 deletions(-) diff --git a/dDatabase/Tables/CDBehaviorParameterTable.cpp b/dDatabase/Tables/CDBehaviorParameterTable.cpp index b29a8267..2a1554cb 100644 --- a/dDatabase/Tables/CDBehaviorParameterTable.cpp +++ b/dDatabase/Tables/CDBehaviorParameterTable.cpp @@ -59,11 +59,9 @@ float CDBehaviorParameterTable::GetEntry(const uint32_t behaviorID, const std::s } #ifndef CDCLIENT_CACHE_ALL - std::stringstream query; - - query << "SELECT parameterID, value FROM BehaviorParameter WHERE behaviorID = " << std::to_string(behaviorID); - - auto tableData = CDClientDatabase::ExecuteQuery(query.str()); + auto tableData = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT parameterID, value FROM BehaviorParameter WHERE behaviorID = %u;", + behaviorID); m_Entries.insert_or_assign(behaviorID, 0); diff --git a/dGame/dComponents/RenderComponent.cpp b/dGame/dComponents/RenderComponent.cpp index aeb56f56..b4787d40 100644 --- a/dGame/dComponents/RenderComponent.cpp +++ b/dGame/dComponents/RenderComponent.cpp @@ -198,14 +198,12 @@ void RenderComponent::PlayEffect(const int32_t effectId, const std::u16string& e return; } - std::stringstream query; + const std::string effectType_str = GeneralUtils::UTF16ToWTF8(effectType); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT animation_length FROM Animations WHERE animation_type IN (SELECT animationName FROM BehaviorEffect WHERE effectID = %d AND effectType = %Q);", + effectId, effectType_str.c_str()); - query << "SELECT animation_length FROM Animations WHERE animation_type IN (SELECT animationName FROM BehaviorEffect WHERE effectID = " << std::to_string(effectId) << " AND effectType = '" << GeneralUtils::UTF16ToWTF8(effectType) << "');"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); - - if (result.eof() || result.fieldIsNull(0)) - { + if (result.eof() || result.fieldIsNull(0)) { result.finalize(); m_DurationCache[effectId] = 0; @@ -214,7 +212,7 @@ void RenderComponent::PlayEffect(const int32_t effectId, const std::u16string& e return; } - + effect->time = static_cast(result.getFloatField(0)); result.finalize(); diff --git a/dGame/dInventory/ItemSet.cpp b/dGame/dInventory/ItemSet.cpp index d1e74df4..93e86a81 100644 --- a/dGame/dInventory/ItemSet.cpp +++ b/dGame/dInventory/ItemSet.cpp @@ -15,11 +15,9 @@ ItemSet::ItemSet(const uint32_t id, InventoryComponent* inventoryComponent) this->m_PassiveAbilities = ItemSetPassiveAbility::FindAbilities(id, m_InventoryComponent->GetParent(), this); - std::stringstream query; - - query << "SELECT skillSetWith2, skillSetWith3, skillSetWith4, skillSetWith5, skillSetWith6, itemIDs FROM ItemSets WHERE setID = " << std::to_string(id); - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT skillSetWith2, skillSetWith3, skillSetWith4, skillSetWith5, skillSetWith6, itemIDs FROM ItemSets WHERE setID = %u;", + id); if (result.eof()) { @@ -33,11 +31,9 @@ ItemSet::ItemSet(const uint32_t id, InventoryComponent* inventoryComponent) continue; } - std::stringstream skillQuery; - - skillQuery << "SELECT SkillID FROM ItemSetSkills WHERE SkillSetID = " << std::to_string(result.getIntField(i)); - - auto skillResult = CDClientDatabase::ExecuteQuery(skillQuery.str()); + auto skillResult = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT SkillID FROM ItemSetSkills WHERE SkillSetID = %d;", + result.getIntField(i)); if (skillResult.eof()) {