From 719440575ff94993a09c9d6c7cdb62b23e435fd7 Mon Sep 17 00:00:00 2001
From: server <server@jakubkadlec.dev>
Date: Tue, 14 Apr 2026 11:04:06 +0200
Subject: [PATCH] db: prepare safebox password change flow

---
 src/db/ClientManager.cpp | 94 +++++++++++++++++++++++++++++++++++++---
 1 file changed, 87 insertions(+), 7 deletions(-)

diff --git a/src/db/ClientManager.cpp b/src/db/ClientManager.cpp
index fea4f12..ed08a45 100644
--- a/src/db/ClientManager.cpp
+++ b/src/db/ClientManager.cpp
@@ -17,6 +17,7 @@
 #include "Marriage.h"
 #include "ItemIDRangeManager.h"
 #include "Cache.h"
+#include "libsql/Statement.h"
 
 #include <memory>
 
@@ -37,6 +38,72 @@ CPacketInfo g_item_info;
 int g_item_count = 0;
 int g_query_count[2];
 
+namespace
+{
+bool LoadSafeboxPasswordByAccountId(DWORD accountId, char* password, size_t passwordSize, bool* found)
+{
+	char query[QUERY_MAX_LEN];
+	snprintf(query, sizeof(query), "SELECT password FROM safebox%s WHERE account_id = ?", GetTablePostfix());
+
+	*found = false;
+	password[0] = '\0';
+
+	CStmt stmt;
+	if (!stmt.Prepare(CDBManager::instance().GetDirectSQL(SQL_PLAYER), query))
+		return false;
+
+	if (!stmt.BindParam(MYSQL_TYPE_LONG, &accountId))
+		return false;
+
+	if (!stmt.BindResult(MYSQL_TYPE_STRING, password, passwordSize))
+		return false;
+
+	if (!stmt.Execute())
+		return false;
+
+	if (stmt.iRows == 0)
+		return true;
+
+	if (!stmt.Fetch())
+		return false;
+
+	*found = true;
+	return true;
+}
+
+bool UpdateSafeboxPasswordByAccountId(DWORD accountId, const char* password)
+{
+	char query[QUERY_MAX_LEN];
+	snprintf(query, sizeof(query), "UPDATE safebox%s SET password = ? WHERE account_id = ?", GetTablePostfix());
+
+	CStmt stmt;
+	if (!stmt.Prepare(CDBManager::instance().GetDirectSQL(SQL_PLAYER), query))
+		return false;
+
+	if (!stmt.BindParam(MYSQL_TYPE_STRING, const_cast<char*>(password), SAFEBOX_PASSWORD_MAX_LEN))
+		return false;
+
+	if (!stmt.BindParam(MYSQL_TYPE_LONG, &accountId))
+		return false;
+
+	return stmt.Execute() != 0;
+}
+
+bool MatchesSafeboxPassword(const char* storedPassword, const char* providedPassword)
+{
+	if ((storedPassword && *storedPassword))
+		return !strcasecmp(storedPassword, providedPassword);
+
+	return !strcmp("000000", providedPassword);
+}
+
+void EncodeSafeboxPasswordChangeAnswer(CPeer* pkPeer, DWORD dwHandle, BYTE success)
+{
+	pkPeer->EncodeHeader(DG::SAFEBOX_CHANGE_PASSWORD_ANSWER, dwHandle, sizeof(BYTE));
+	pkPeer->EncodeBYTE(success);
+}
+}
+
 CClientManager::CClientManager() :
 	m_pkAuthPeer(NULL),
 	m_iPlayerIDStart(0),
@@ -817,15 +884,28 @@ void CClientManager::RESULT_SAFEBOX_CHANGE_SIZE(CPeer * pkPeer, SQLMsg * msg)
 
 void CClientManager::QUERY_SAFEBOX_CHANGE_PASSWORD(CPeer * pkPeer, DWORD dwHandle, TSafeboxChangePasswordPacket * p)
 {
-	ClientHandleInfo * pi = new ClientHandleInfo(dwHandle);
-	strlcpy(pi->safebox_password, p->szNewPassword, sizeof(pi->safebox_password));
-	strlcpy(pi->login, p->szOldPassword, sizeof(pi->login));
-	pi->account_id = p->dwID;
+	char storedPassword[SAFEBOX_PASSWORD_MAX_LEN + 1];
+	bool found = false;
 
-	char szQuery[QUERY_MAX_LEN];
-	snprintf(szQuery, sizeof(szQuery), "SELECT password FROM safebox%s WHERE account_id=%u", GetTablePostfix(), p->dwID);
+	if (!LoadSafeboxPasswordByAccountId(p->dwID, storedPassword, sizeof(storedPassword), &found))
+	{
+		EncodeSafeboxPasswordChangeAnswer(pkPeer, dwHandle, 0);
+		return;
+	}
 
-	CDBManager::instance().ReturnQuery(szQuery, QID_SAFEBOX_CHANGE_PASSWORD, pkPeer->GetHandle(), pi);
+	if (!found || !MatchesSafeboxPassword(storedPassword, p->szOldPassword))
+	{
+		EncodeSafeboxPasswordChangeAnswer(pkPeer, dwHandle, 0);
+		return;
+	}
+
+	if (!UpdateSafeboxPasswordByAccountId(p->dwID, p->szNewPassword))
+	{
+		EncodeSafeboxPasswordChangeAnswer(pkPeer, dwHandle, 0);
+		return;
+	}
+
+	EncodeSafeboxPasswordChangeAnswer(pkPeer, dwHandle, 1);
 }
 
 void CClientManager::RESULT_SAFEBOX_CHANGE_PASSWORD(CPeer * pkPeer, SQLMsg * msg)