diff --git a/luascripts/wolfadmin/db/mysql.lua b/luascripts/wolfadmin/db/mysql.lua index 3af61df..78d13f4 100644 --- a/luascripts/wolfadmin/db/mysql.lua +++ b/luascripts/wolfadmin/db/mysql.lua @@ -32,7 +32,7 @@ local cur -- config function mysql.isSchemaExistent() - cur = assert(con:execute("SELECT * FROM `information_schema`.`tables` WHERE `table_schema`='"..util.escape(settings.get("db_database")).."' AND `table_name`='config' LIMIT 1")) + cur = assert(con:execute("SELECT * FROM `information_schema`.`tables` WHERE `table_schema`='"..con:escape(settings.get("db_database")).."' AND `table_name`='config' LIMIT 1")) local tbl = cur:fetch({}, "a") cur:close() @@ -42,11 +42,11 @@ end -- players function mysql.addPlayer(guid, ip, lastSeen, seen) - cur = assert(con:execute("INSERT INTO `player` (`guid`, `ip`, `level_id`, `lastseen`, `seen`) VALUES ('"..util.escape(guid).."', '"..util.escape(ip).."', 0, "..tonumber(lastSeen)..", "..tonumber(seen)..")")) + cur = assert(con:execute("INSERT INTO `player` (`guid`, `ip`, `level_id`, `lastseen`, `seen`) VALUES ('"..con:escape(guid).."', '"..con:escape(ip).."', 0, "..tonumber(lastSeen)..", "..tonumber(seen)..")")) end function mysql.updatePlayer(guid, ip, lastSeen) - cur = assert(con:execute("UPDATE `player` SET `ip`='"..util.escape(ip).."', `lastseen`="..lastSeen..", `seen`=`seen`+1 WHERE `guid`='"..util.escape(guid).."'")) + cur = assert(con:execute("UPDATE `player` SET `ip`='"..con:escape(ip).."', `lastseen`="..lastSeen..", `seen`=`seen`+1 WHERE `guid`='"..con:escape(guid).."'")) end function mysql.updatePlayerLevel(id, level) @@ -86,7 +86,7 @@ function mysql.getPlayers(limit, offset) end function mysql.getPlayer(guid) - cur = assert(con:execute("SELECT * FROM `player` WHERE `guid`='"..util.escape(guid).."'")) + cur = assert(con:execute("SELECT * FROM `player` WHERE `guid`='"..con:escape(guid).."'")) local player = cur:fetch({}, "a") cur:close() @@ -96,11 +96,11 @@ end -- levels function mysql.addLevel(id, name) - cur = assert(con:execute("INSERT INTO `level` (`id`, `name`) VALUES ('"..tonumber(id).."', '"..util.escape(name).."')")) + cur = assert(con:execute("INSERT INTO `level` (`id`, `name`) VALUES ('"..tonumber(id).."', '"..con:escape(name).."')")) end function mysql.updateLevel(id, name) - cur = assert(con:execute("UPDATE `level` SET `name`='"..util.escape(name).."' WHERE `id`='"..tonumber(id).."'")) + cur = assert(con:execute("UPDATE `level` SET `name`='"..con:escape(name).."' WHERE `id`='"..tonumber(id).."'")) end function mysql.removeLevel(id) @@ -170,11 +170,11 @@ function mysql.getLevelPermissions() end function mysql.addLevelPermission(levelId, permission) - cur = assert(con:execute("INSERT INTO `level_permission` (`level_id`, `permission`) VALUES ("..tonumber(levelId)..", '"..util.escape(permission).."')")) + cur = assert(con:execute("INSERT INTO `level_permission` (`level_id`, `permission`) VALUES ("..tonumber(levelId)..", '"..con:escape(permission).."')")) end function mysql.removeLevelPermission(levelId, permission) - cur = assert(con:execute("DELETE FROM `level_permission` WHERE `level_id`="..tonumber(levelId).." AND permission='"..util.escape(permission).."'")) + cur = assert(con:execute("DELETE FROM `level_permission` WHERE `level_id`="..tonumber(levelId).." AND permission='"..con:escape(permission).."'")) end function mysql.copyLevelPermissions(levelId, newLevelId) @@ -202,11 +202,11 @@ function mysql.getPlayerPermissions() end function mysql.addPlayerPermission(playerId, permission) - cur = assert(con:execute("INSERT INTO `player_permission` (`player_id`, `permission`) VALUES ("..tonumber(playerId)..", '"..util.escape(permission).."')")) + cur = assert(con:execute("INSERT INTO `player_permission` (`player_id`, `permission`) VALUES ("..tonumber(playerId)..", '"..con:escape(permission).."')")) end function mysql.removePlayerPermission(playerId, permission) - cur = assert(con:execute("DELETE FROM `player_permission` WHERE `player_id`="..tonumber(playerId).." AND permission='"..util.escape(permission).."'")) + cur = assert(con:execute("DELETE FROM `player_permission` WHERE `player_id`="..tonumber(playerId).." AND permission='"..con:escape(permission).."'")) end function mysql.copyPlayerPermissions(playerId, newPlayerId) @@ -219,7 +219,7 @@ end -- aliases function mysql.addAlias(playerid, alias, lastused) - cur = assert(con:execute("INSERT INTO `alias` (`player_id`, `alias`, `cleanalias`, `lastused`, `used`) VALUES ("..tonumber(playerid)..", '"..util.escape(alias).."', '"..util.escape(util.removeColors(alias)).."', "..tonumber(lastused)..", 1)")) + cur = assert(con:execute("INSERT INTO `alias` (`player_id`, `alias`, `cleanalias`, `lastused`, `used`) VALUES ("..tonumber(playerid)..", '"..con:escape(alias).."', '"..con:escape(util.removeColors(alias)).."', "..tonumber(lastused)..", 1)")) end function mysql.updateAlias(aliasid, lastused) @@ -264,7 +264,7 @@ function mysql.getAliasById(aliasid) end function mysql.getAliasByName(playerid, aliasname) - cur = assert(con:execute("SELECT * FROM `alias` WHERE `player_id`="..tonumber(playerid).." AND `alias`='"..util.escape(aliasname).."'")) + cur = assert(con:execute("SELECT * FROM `alias` WHERE `player_id`="..tonumber(playerid).." AND `alias`='"..con:escape(aliasname).."'")) local alias = cur:fetch({}, "a") cur:close() @@ -292,7 +292,7 @@ end -- history function mysql.addHistory(victimId, invokerId, type, datetime, reason) - cur = assert(con:execute("INSERT INTO `history` (`victim_id`, `invoker_id`, `type`, `datetime`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", '"..util.escape(type).."', "..tonumber(datetime)..", '"..util.escape(reason).."')")) + cur = assert(con:execute("INSERT INTO `history` (`victim_id`, `invoker_id`, `type`, `datetime`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", '"..con:escape(type).."', "..tonumber(datetime)..", '"..con:escape(reason).."')")) end function mysql.removeHistory(historyId) @@ -338,7 +338,7 @@ end -- mutes function mysql.addMute(victimId, invokerId, type, issued, duration, reason) - cur = assert(con:execute("INSERT INTO `mute` (`victim_id`, `invoker_id`, `type`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(type)..", "..tonumber(issued)..", "..tonumber(issued + duration)..", "..tonumber(duration)..", '"..util.escape(reason).."')")) + cur = assert(con:execute("INSERT INTO `mute` (`victim_id`, `invoker_id`, `type`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(type)..", "..tonumber(issued)..", "..tonumber(issued + duration)..", "..tonumber(duration)..", '"..con:escape(reason).."')")) end function mysql.removeMute(muteId) @@ -397,7 +397,7 @@ end -- bans function mysql.addBan(victimId, invokerId, issued, duration, reason) - cur = assert(con:execute("INSERT INTO `ban` (`victim_id`, `invoker_id`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(issued)..", "..(tonumber(issued) + tonumber(duration))..", "..tonumber(duration)..", '"..util.escape(reason).."')")) + cur = assert(con:execute("INSERT INTO `ban` (`victim_id`, `invoker_id`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(issued)..", "..(tonumber(issued) + tonumber(duration))..", "..tonumber(duration)..", '"..con:escape(reason).."')")) end function mysql.removeBan(banId) @@ -456,7 +456,7 @@ end -- maps function mysql.addMap(mapname, lastplayed) - cur = assert(con:execute("INSERT INTO `map` (`name`, `lastplayed`) VALUES ('"..util.escape(mapname).."', "..tonumber(lastplayed)..")")) + cur = assert(con:execute("INSERT INTO `map` (`name`, `lastplayed`) VALUES ('"..con:escape(mapname).."', "..tonumber(lastplayed)..")")) end function mysql.updateMap(mapid, lastplayed) @@ -464,7 +464,7 @@ function mysql.updateMap(mapid, lastplayed) end function mysql.getMap(mapname) - cur = assert(con:execute("SELECT * FROM `map` WHERE `name`='"..util.escape(mapname).."'")) + cur = assert(con:execute("SELECT * FROM `map` WHERE `name`='"..con:escape(mapname).."'")) local map = cur:fetch({}, "a") cur:close() diff --git a/luascripts/wolfadmin/db/sqlite3.lua b/luascripts/wolfadmin/db/sqlite3.lua index 7406d3f..ab708c8 100644 --- a/luascripts/wolfadmin/db/sqlite3.lua +++ b/luascripts/wolfadmin/db/sqlite3.lua @@ -42,11 +42,11 @@ end -- players function sqlite3.addPlayer(guid, ip, lastSeen, seen) - cur = assert(con:execute("INSERT INTO `player` (`guid`, `ip`, `level_id`, `lastseen`, `seen`) VALUES ('"..util.escape(guid).."', '"..util.escape(ip).."', 0, "..tonumber(lastSeen)..", "..tonumber(seen)..")")) + cur = assert(con:execute("INSERT INTO `player` (`guid`, `ip`, `level_id`, `lastseen`, `seen`) VALUES ('"..con:escape(guid).."', '"..con:escape(ip).."', 0, "..tonumber(lastSeen)..", "..tonumber(seen)..")")) end function sqlite3.updatePlayer(guid, ip, lastSeen) - cur = assert(con:execute("UPDATE `player` SET `ip`='"..util.escape(ip).."', `lastseen`="..lastSeen..", `seen`=`seen`+1 WHERE `guid`='"..util.escape(guid).."'")) + cur = assert(con:execute("UPDATE `player` SET `ip`='"..con:escape(ip).."', `lastseen`="..lastSeen..", `seen`=`seen`+1 WHERE `guid`='"..con:escape(guid).."'")) end function sqlite3.updatePlayerLevel(id, level) @@ -86,7 +86,7 @@ function sqlite3.getPlayers(limit, offset) end function sqlite3.getPlayer(guid) - cur = assert(con:execute("SELECT * FROM `player` WHERE `guid`='"..util.escape(guid).."'")) + cur = assert(con:execute("SELECT * FROM `player` WHERE `guid`='"..con:escape(guid).."'")) local player = cur:fetch({}, "a") cur:close() @@ -96,11 +96,11 @@ end -- levels function sqlite3.addLevel(id, name) - cur = assert(con:execute("INSERT INTO `level` (`id`, `name`) VALUES ('"..tonumber(id).."', '"..util.escape(name).."')")) + cur = assert(con:execute("INSERT INTO `level` (`id`, `name`) VALUES ('"..tonumber(id).."', '"..con:escape(name).."')")) end function sqlite3.updateLevel(id, name) - cur = assert(con:execute("UPDATE `level` SET `name`='"..util.escape(name).."' WHERE `id`='"..tonumber(id).."'")) + cur = assert(con:execute("UPDATE `level` SET `name`='"..con:escape(name).."' WHERE `id`='"..tonumber(id).."'")) end function sqlite3.removeLevel(id) @@ -170,11 +170,11 @@ function sqlite3.getLevelPermissions() end function sqlite3.addLevelPermission(levelId, permission) - cur = assert(con:execute("INSERT INTO `level_permission` (`level_id`, `permission`) VALUES ("..tonumber(levelId)..", '"..util.escape(permission).."')")) + cur = assert(con:execute("INSERT INTO `level_permission` (`level_id`, `permission`) VALUES ("..tonumber(levelId)..", '"..con:escape(permission).."')")) end function sqlite3.removeLevelPermission(levelId, permission) - cur = assert(con:execute("DELETE FROM `level_permission` WHERE `level_id`="..tonumber(levelId).." AND permission='"..util.escape(permission).."'")) + cur = assert(con:execute("DELETE FROM `level_permission` WHERE `level_id`="..tonumber(levelId).." AND permission='"..con:escape(permission).."'")) end function sqlite3.copyLevelPermissions(levelId, newLevelId) @@ -202,11 +202,11 @@ function sqlite3.getPlayerPermissions(playerId) end function sqlite3.addPlayerPermission(playerId, permission) - cur = assert(con:execute("INSERT INTO `player_permission` (`player_id`, `permission`) VALUES ("..tonumber(playerId)..", '"..util.escape(permission).."')")) + cur = assert(con:execute("INSERT INTO `player_permission` (`player_id`, `permission`) VALUES ("..tonumber(playerId)..", '"..con:escape(permission).."')")) end function sqlite3.removePlayerPermission(playerId, permission) - cur = assert(con:execute("DELETE FROM `player_permission` WHERE `player_id`="..tonumber(playerId).." AND permission='"..util.escape(permission).."'")) + cur = assert(con:execute("DELETE FROM `player_permission` WHERE `player_id`="..tonumber(playerId).." AND permission='"..con:escape(permission).."'")) end function sqlite3.copyPlayerPermissions(playerId, newPlayerId) @@ -219,7 +219,7 @@ end -- aliases function sqlite3.addAlias(playerid, alias, lastused) - cur = assert(con:execute("INSERT INTO `alias` (`player_id`, `alias`, `cleanalias`, `lastused`, `used`) VALUES ("..tonumber(playerid)..", '"..util.escape(alias).."', '"..util.escape(util.removeColors(alias)).."', "..tonumber(lastused)..", 1)")) + cur = assert(con:execute("INSERT INTO `alias` (`player_id`, `alias`, `cleanalias`, `lastused`, `used`) VALUES ("..tonumber(playerid)..", '"..con:escape(alias).."', '"..con:escape(util.removeColors(alias)).."', "..tonumber(lastused)..", 1)")) end function sqlite3.updateAlias(aliasid, lastused) @@ -264,7 +264,7 @@ function sqlite3.getAliasById(aliasid) end function sqlite3.getAliasByName(playerid, aliasname) - cur = assert(con:execute("SELECT * FROM `alias` WHERE `player_id`="..tonumber(playerid).." AND `alias`='"..util.escape(aliasname).."'")) + cur = assert(con:execute("SELECT * FROM `alias` WHERE `player_id`="..tonumber(playerid).." AND `alias`='"..con:escape(aliasname).."'")) local alias = cur:fetch({}, "a") cur:close() @@ -292,7 +292,7 @@ end -- history function sqlite3.addHistory(victimId, invokerId, type, datetime, reason) - cur = assert(con:execute("INSERT INTO `history` (`victim_id`, `invoker_id`, `type`, `datetime`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", '"..util.escape(type).."', "..tonumber(datetime)..", '"..util.escape(reason).."')")) + cur = assert(con:execute("INSERT INTO `history` (`victim_id`, `invoker_id`, `type`, `datetime`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", '"..con:escape(type).."', "..tonumber(datetime)..", '"..con:escape(reason).."')")) end function sqlite3.removeHistory(historyId) @@ -338,7 +338,7 @@ end -- mutes function sqlite3.addMute(victimId, invokerId, type, issued, duration, reason) - cur = assert(con:execute("INSERT INTO `mute` (`victim_id`, `invoker_id`, `type`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(type)..", "..tonumber(issued)..", "..tonumber(issued + duration)..", "..tonumber(duration)..", '"..util.escape(reason).."')")) + cur = assert(con:execute("INSERT INTO `mute` (`victim_id`, `invoker_id`, `type`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(type)..", "..tonumber(issued)..", "..tonumber(issued + duration)..", "..tonumber(duration)..", '"..con:escape(reason).."')")) end function sqlite3.removeMute(muteId) @@ -397,7 +397,7 @@ end -- bans function sqlite3.addBan(victimId, invokerId, issued, duration, reason) - cur = assert(con:execute("INSERT INTO `ban` (`victim_id`, `invoker_id`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(issued)..", "..(tonumber(issued) + tonumber(duration))..", "..tonumber(duration)..", '"..util.escape(reason).."')")) + cur = assert(con:execute("INSERT INTO `ban` (`victim_id`, `invoker_id`, `issued`, `expires`, `duration`, `reason`) VALUES ("..tonumber(victimId)..", "..tonumber(invokerId)..", "..tonumber(issued)..", "..(tonumber(issued) + tonumber(duration))..", "..tonumber(duration)..", '"..con:escape(reason).."')")) end function sqlite3.removeBan(banId) @@ -456,7 +456,7 @@ end -- maps function sqlite3.addMap(mapname, lastplayed) - cur = assert(con:execute("INSERT INTO `map` (`name`, `lastplayed`) VALUES ('"..util.escape(mapname).."', "..tonumber(lastplayed)..")")) + cur = assert(con:execute("INSERT INTO `map` (`name`, `lastplayed`) VALUES ('"..con:escape(mapname).."', "..tonumber(lastplayed)..")")) end function sqlite3.updateMap(mapid, lastplayed) @@ -464,7 +464,7 @@ function sqlite3.updateMap(mapid, lastplayed) end function sqlite3.getMap(mapname) - cur = assert(con:execute("SELECT * FROM `map` WHERE `name`='"..util.escape(mapname).."'")) + cur = assert(con:execute("SELECT * FROM `map` WHERE `name`='"..con:escape(mapname).."'")) local map = cur:fetch({}, "a") cur:close() diff --git a/luascripts/wolfadmin/util/util.lua b/luascripts/wolfadmin/util/util.lua index 7eb8b79..af874c1 100644 --- a/luascripts/wolfadmin/util/util.lua +++ b/luascripts/wolfadmin/util/util.lua @@ -48,12 +48,6 @@ function util.split(str, pat) return t end -function util.escape(str) - util.typecheck("util.escape", {str}, {"string"}) - - return string.gsub(str, "([\"'])", "\\%1") -end - function util.removeColors(str) util.typecheck("util.removeColors", {str}, {"string"})