From 6ab8220c9a7bc7037913a7364ba1ef9d1913062a Mon Sep 17 00:00:00 2001
From: server <server@jakubkadlec.dev>
Date: Mon, 13 Apr 2026 23:12:58 +0200
Subject: [PATCH] game: escape log query inputs

---
 src/game/log.cpp | 88 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 65 insertions(+), 23 deletions(-)

diff --git a/src/game/log.cpp b/src/game/log.cpp
index dc912ce..4e8f114 100644
--- a/src/game/log.cpp
+++ b/src/game/log.cpp
@@ -8,7 +8,20 @@
 #include "item.h"
 #include "locale_service.h"
 
-static char	__escape_hint[1024];
+namespace
+{
+std::string EscapeLogString(CAsyncSQL& sql, const char* value)
+{
+	if (!value || *value == '\0')
+		return {};
+
+	const size_t length = strlen(value);
+	std::string escaped(length * 2 + 1, '\0');
+	const size_t escapedLength = sql.EscapeString(escaped.data(), escaped.size(), value, length);
+	escaped.resize(escapedLength);
+	return escaped;
+}
+}
 
 LogManager::LogManager() : m_bIsConnect(false)
 {
@@ -48,10 +61,12 @@ bool LogManager::IsConnected()
 
 void LogManager::ItemLog(DWORD dwPID, DWORD x, DWORD y, DWORD dwItemID, const char * c_pszText, const char * c_pszHint, const char * c_pszIP, DWORD dwVnum)
 {
-	m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), c_pszHint, strlen(c_pszHint));
+	const std::string escapedText = EscapeLogString(m_sql, c_pszText);
+	const std::string escapedHint = EscapeLogString(m_sql, c_pszHint);
+	const std::string escapedIP = EscapeLogString(m_sql, c_pszIP);
 
 	Query("INSERT DELAYED INTO log%s (type, time, who, x, y, what, how, hint, ip, vnum) VALUES('ITEM', NOW(), %u, %u, %u, %u, '%s', '%s', '%s', %u)",
-			get_table_postfix(), dwPID, x, y, dwItemID, c_pszText, __escape_hint, c_pszIP, dwVnum);
+			get_table_postfix(), dwPID, x, y, dwItemID, escapedText.c_str(), escapedHint.c_str(), escapedIP.c_str(), dwVnum);
 }
 
 void LogManager::ItemLog(LPCHARACTER ch, LPITEM item, const char * c_pszText, const char * c_pszHint)
@@ -75,10 +90,12 @@ void LogManager::ItemLog(LPCHARACTER ch, int itemID, int itemVnum, const char *
 
 void LogManager::CharLog(DWORD dwPID, DWORD x, DWORD y, DWORD dwValue, const char * c_pszText, const char * c_pszHint, const char * c_pszIP)
 {
-	m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), c_pszHint, strlen(c_pszHint));
+	const std::string escapedText = EscapeLogString(m_sql, c_pszText);
+	const std::string escapedHint = EscapeLogString(m_sql, c_pszHint);
+	const std::string escapedIP = EscapeLogString(m_sql, c_pszIP);
 
 	Query("INSERT DELAYED INTO log%s (type, time, who, x, y, what, how, hint, ip) VALUES('CHARACTER', NOW(), %u, %u, %u, %u, '%s', '%s', '%s')",
-			get_table_postfix(), dwPID, x, y, dwValue, c_pszText, __escape_hint, c_pszIP);
+			get_table_postfix(), dwPID, x, y, dwValue, escapedText.c_str(), escapedHint.c_str(), escapedIP.c_str());
 }
 
 void LogManager::CharLog(LPCHARACTER ch, DWORD dw, const char * c_pszText, const char * c_pszHint)
@@ -108,9 +125,14 @@ void LogManager::MoneyLog(BYTE type, DWORD vnum, int gold)
 
 void LogManager::HackLog(const char * c_pszHackName, const char * c_pszLogin, const char * c_pszName, const char * c_pszIP)
 {
-	m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), c_pszHackName, strlen(c_pszHackName));
+	const std::string escapedHackName = EscapeLogString(m_sql, c_pszHackName);
+	const std::string escapedLogin = EscapeLogString(m_sql, c_pszLogin);
+	const std::string escapedName = EscapeLogString(m_sql, c_pszName);
+	const std::string escapedIP = EscapeLogString(m_sql, c_pszIP);
+	const std::string escapedHostname = EscapeLogString(m_sql, g_stHostname.c_str());
 
-	Query("INSERT INTO hack_log (time, login, name, ip, server, why) VALUES(NOW(), '%s', '%s', '%s', '%s', '%s')", c_pszLogin, c_pszName, c_pszIP, g_stHostname.c_str(), __escape_hint);
+	Query("INSERT INTO hack_log (time, login, name, ip, server, why) VALUES(NOW(), '%s', '%s', '%s', '%s', '%s')",
+			escapedLogin.c_str(), escapedName.c_str(), escapedIP.c_str(), escapedHostname.c_str(), escapedHackName.c_str());
 }
 
 void LogManager::HackLog(const char * c_pszHackName, LPCHARACTER ch)
@@ -126,12 +148,20 @@ void LogManager::HackLog(const char * c_pszHackName, LPCHARACTER ch)
 
 void LogManager::HackCRCLog(const char * c_pszHackName, const char * c_pszLogin, const char * c_pszName, const char * c_pszIP, DWORD dwCRC)
 {
-	Query("INSERT INTO hack_crc_log (time, login, name, ip, server, why, crc) VALUES(NOW(), '%s', '%s', '%s', '%s', '%s', %u)", c_pszLogin, c_pszName, c_pszIP, g_stHostname.c_str(), c_pszHackName, dwCRC);
+	const std::string escapedHackName = EscapeLogString(m_sql, c_pszHackName);
+	const std::string escapedLogin = EscapeLogString(m_sql, c_pszLogin);
+	const std::string escapedName = EscapeLogString(m_sql, c_pszName);
+	const std::string escapedIP = EscapeLogString(m_sql, c_pszIP);
+	const std::string escapedHostname = EscapeLogString(m_sql, g_stHostname.c_str());
+
+	Query("INSERT INTO hack_crc_log (time, login, name, ip, server, why, crc) VALUES(NOW(), '%s', '%s', '%s', '%s', '%s', %u)",
+			escapedLogin.c_str(), escapedName.c_str(), escapedIP.c_str(), escapedHostname.c_str(), escapedHackName.c_str(), dwCRC);
 }
 
 void LogManager::GoldBarLog(DWORD dwPID, DWORD dwItemID, GOLDBAR_HOW eHow, const char* c_pszHint)
 {
 	char szHow[32+1];
+	const std::string escapedHint = EscapeLogString(m_sql, c_pszHint);
 	
 	switch (eHow)
 	{
@@ -169,7 +199,7 @@ void LogManager::GoldBarLog(DWORD dwPID, DWORD dwItemID, GOLDBAR_HOW eHow, const
 	}
 	
 	Query("INSERT DELAYED INTO goldlog%s (date, time, pid, what, how, hint) VALUES(CURDATE(), CURTIME(), %u, %u, %s, '%s')", 
-			get_table_postfix(), dwPID, dwItemID, szHow, c_pszHint);
+			get_table_postfix(), dwPID, dwItemID, szHow, escapedHint.c_str());
 }
 
 void LogManager::CubeLog(DWORD dwPID, DWORD x, DWORD y, DWORD item_vnum, DWORD item_uid, int item_count, bool success)
@@ -188,34 +218,41 @@ void LogManager::SpeedHackLog(DWORD pid, DWORD x, DWORD y, int hack_count)
 
 void LogManager::ChangeNameLog(DWORD pid, const char *old_name, const char *new_name, const char *ip)
 {
+	const std::string escapedOldName = EscapeLogString(m_sql, old_name);
+	const std::string escapedNewName = EscapeLogString(m_sql, new_name);
+	const std::string escapedIP = EscapeLogString(m_sql, ip);
+
 	Query("INSERT DELAYED INTO change_name%s (pid, old_name, new_name, time, ip) "
 			"VALUES(%u, '%s', '%s', NOW(), '%s') ",
-			get_table_postfix(), pid, old_name, new_name, ip);
+			get_table_postfix(), pid, escapedOldName.c_str(), escapedNewName.c_str(), escapedIP.c_str());
 }
 
 void LogManager::GMCommandLog(DWORD dwPID, const char* szName, const char* szIP, BYTE byChannel, const char* szCommand)
 {
-	m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), szCommand, strlen(szCommand));
+	const std::string escapedName = EscapeLogString(m_sql, szName);
+	const std::string escapedIP = EscapeLogString(m_sql, szIP);
+	const std::string escapedCommand = EscapeLogString(m_sql, szCommand);
 
 	Query("INSERT DELAYED INTO command_log%s (userid, server, ip, port, username, command, date ) "
 			"VALUES(%u, 999, '%s', %u, '%s', '%s', NOW()) ",
-			get_table_postfix(), dwPID, szIP, byChannel, szName, __escape_hint);
+			get_table_postfix(), dwPID, escapedIP.c_str(), byChannel, escapedName.c_str(), escapedCommand.c_str());
 }
 
 void LogManager::RefineLog(DWORD pid, const char* item_name, DWORD item_id, int item_refine_level, int is_success, const char* how)
 {
-	m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), item_name, strlen(item_name));
+	const std::string escapedItemName = EscapeLogString(m_sql, item_name);
+	const std::string escapedHow = EscapeLogString(m_sql, how);
 
 	Query("INSERT INTO refinelog%s (pid, item_name, item_id, step, time, is_success, setType) VALUES(%u, '%s', %u, %d, NOW(), %d, '%s')",
-			get_table_postfix(), pid, __escape_hint, item_id, item_refine_level, is_success, how);
+			get_table_postfix(), pid, escapedItemName.c_str(), item_id, item_refine_level, is_success, escapedHow.c_str());
 }
 
 
 void LogManager::ShoutLog(BYTE bChannel, BYTE bEmpire, const char * pszText)
 {
-	m_sql.EscapeString(__escape_hint, sizeof(__escape_hint), pszText, strlen(pszText));
+	const std::string escapedText = EscapeLogString(m_sql, pszText);
 
-	Query("INSERT INTO shout_log%s VALUES(NOW(), %d, %d,'%s')", get_table_postfix(), bChannel, bEmpire, __escape_hint);
+	Query("INSERT INTO shout_log%s VALUES(NOW(), %d, %d,'%s')", get_table_postfix(), bChannel, bEmpire, escapedText.c_str());
 }
 
 void LogManager::LevelLog(LPCHARACTER pChar, unsigned int level, unsigned int playhour)
@@ -223,6 +260,7 @@ void LogManager::LevelLog(LPCHARACTER pChar, unsigned int level, unsigned int pl
 	if (true == LC_IsEurope())
 	{
 		DWORD aid = 0;
+		const std::string escapedName = EscapeLogString(m_sql, pChar->GetName());
 
 		if (NULL != pChar->GetDesc())
 		{
@@ -230,19 +268,21 @@ void LogManager::LevelLog(LPCHARACTER pChar, unsigned int level, unsigned int pl
 		}
 
 		Query("REPLACE INTO levellog%s (name, level, time, account_id, pid, playtime) VALUES('%s', %u, NOW(), %u, %u, %d)",
-				get_table_postfix(), pChar->GetName(), level, aid, pChar->GetPlayerID(), playhour);
+				get_table_postfix(), escapedName.c_str(), level, aid, pChar->GetPlayerID(), playhour);
 	}
 	else
 	{
+		const std::string escapedName = EscapeLogString(m_sql, pChar->GetName());
 		Query("REPLACE INTO levellog%s (name, level, time, playtime) VALUES('%s', %u, NOW(), %d)",
-				get_table_postfix(), pChar->GetName(), level, playhour);
+				get_table_postfix(), escapedName.c_str(), level, playhour);
 	}
 }
 
 void LogManager::BootLog(const char * c_pszHostName, BYTE bChannel)
 {
+	const std::string escapedHostName = EscapeLogString(m_sql, c_pszHostName);
 	Query("INSERT INTO bootlog (time, hostname, channel) VALUES(NOW(), '%s', %d)",
-			c_pszHostName, bChannel);
+			escapedHostName.c_str(), bChannel);
 }
 
 void LogManager::FishLog(DWORD dwPID, int prob_idx, int fish_id, int fish_level, DWORD dwMiliseconds, DWORD dwVnum, DWORD dwValue)
@@ -260,9 +300,10 @@ void LogManager::FishLog(DWORD dwPID, int prob_idx, int fish_id, int fish_level,
 
 void LogManager::QuestRewardLog(const char * c_pszQuestName, DWORD dwPID, DWORD dwLevel, int iValue1, int iValue2)
 {
+	const std::string escapedQuestName = EscapeLogString(m_sql, c_pszQuestName);
 	Query("INSERT INTO quest_reward_log%s VALUES('%s',%u,%u,2,%u,%u,NOW())", 
 			get_table_postfix(), 
-			c_pszQuestName,
+			escapedQuestName.c_str(),
 			dwPID,
 			dwLevel,
 			iValue1, 
@@ -276,14 +317,16 @@ void LogManager::DetailLoginLog(bool isLogin, LPCHARACTER ch)
 
 	if (true == isLogin)
 	{
+		const std::string escapedIP = EscapeLogString(m_sql, ch->GetDesc()->GetHostName());
+		const std::string escapedClientVersion = EscapeLogString(m_sql, ch->GetDesc()->GetClientVersion());
 		Query("INSERT INTO loginlog2(type, is_gm, login_time, channel, account_id, pid, ip, client_version) "
 				"VALUES('INVALID', %s, NOW(), %d, %u, %u, inet_aton('%s'), '%s')",
 				ch->IsGM() ? "'Y'" : "'N'",
 				g_bChannel,
 				ch->GetDesc()->GetAccountTable().id,
 				ch->GetPlayerID(),
-				ch->GetDesc()->GetHostName(),
-				ch->GetDesc()->GetClientVersion());
+				escapedIP.c_str(),
+				escapedClientVersion.c_str());
 	}
 	else
 	{
@@ -301,4 +344,3 @@ void LogManager::DragonSlayLog(DWORD dwGuildID, DWORD dwDragonVnum, DWORD dwStar
 			get_table_postfix(),
 			dwGuildID, dwDragonVnum, dwStartTime, dwEndTime);
 }
-