game: escape highscore and award inputs

src/game/questlua.cpp

@@ -209,12 +209,14 @@ namespace quest
 	{
 		CQuestManager & q = CQuestManager::instance();
 		const char * pszBoardName = lua_tostring(L, 1);
+		const std::string escapedBoardName = DBManager::instance().EscapeStringCopy(
+			pszBoardName ? pszBoardName : "", pszBoardName ? strlen(pszBoardName) : 0);
 		DWORD mypid = q.GetCurrentCharacterPtr()->GetPlayerID();
 		bool bOrder = (int) lua_tonumber(L, 2) != 0 ? true : false;
 
 		DBManager::instance().ReturnQuery(QID_HIGHSCORE_SHOW, mypid, NULL, 
 				"SELECT h.pid, p.name, h.value FROM highscore%s as h, player%s as p WHERE h.board = '%s' AND h.pid = p.id ORDER BY h.value %s LIMIT 10",
-				get_table_postfix(), get_table_postfix(), pszBoardName, bOrder ? "DESC" : "");
+				get_table_postfix(), get_table_postfix(), escapedBoardName.c_str(), bOrder ? "DESC" : "");
 		return 0;
 	}
 
@@ -228,9 +230,11 @@ namespace quest
 		qi->dwPID = q.GetCurrentCharacterPtr()->GetPlayerID();
 		qi->iValue = (int) lua_tonumber(L, 2);
 		qi->bOrder = (int) lua_tonumber(L, 3);
+		const std::string escapedBoard = DBManager::instance().EscapeStringCopy(
+			qi->szBoard, strnlen(qi->szBoard, sizeof(qi->szBoard)));
 
 		DBManager::instance().ReturnQuery(QID_HIGHSCORE_REGISTER, qi->dwPID, qi, 
-				"SELECT value FROM highscore%s WHERE board='%s' AND pid=%u", get_table_postfix(), qi->szBoard, qi->dwPID);
+				"SELECT value FROM highscore%s WHERE board='%s' AND pid=%u", get_table_postfix(), escapedBoard.c_str(), qi->dwPID);
 		return 1;
 	}