Madein : Alpha (FIX- SQL Injection) and MakeGuild New Bug

[xcorper]

Hi,

When i add the code to CGuildManager::CreateGuild which fixes sql injection players can create 2 guilds with the same name, are there any fix about it?

 Spoiler

DWORD CGuildManager::CreateGuild(TGuildCreateParameter& gcp)
{
if (!gcp.master)
return 0;

if (!check_name(gcp.name))
{
gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<길드> 길드 이름이 적합하지 않습니다."));
return 0;
}

static char __escape_name[GUILD_NAME_MAX_LEN * 2 + 1];
DBManager::instance().EscapeString(__escape_name, sizeof(__escape_name), static_cast<const char *>(gcp.name), sizeof(gcp.name));

std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
get_table_postfix(), __escape_name));

if (pmsg->Get()->uiNumRows > 0)
{
MYSQL_ROW row = mysql_fetch_row(pmsg->Get()->pSQLResult);

if (!(row[0] && row[0][0] == '0'))
{
gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<길드> 이미 같은 이름의 길드가 있습니다."));
return 0;
}
}
else
{
gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<길드> 길드를 생성할 수 없습니다."));
return 0;
}

// new CGuild(gcp) queries guild tables and tell dbcache to notice other game servers.
// other game server calls CGuildManager::LoadGuild to load guild.
CGuild * pg = M2_NEW CGuild(gcp);
m_mapGuild.insert(std::make_pair(pg->GetID(), pg));
return pg->GetID();
}

Bug screen;

[DasSchwarzeT]

Just remove the "MakeGuild" Fix. It's not necessary.

[xcorper]

Quote:

Originally Posted by DasSchwarzeT

Just remove the "MakeGuild" Fix. It's not necessary.

Why remove?

[DasSchwarzeT]

Quote:

Originally Posted by xcorper

Why remove?

As I already said the "fix" isn't necessary and causes the bug of duplicated guilds.

[Ken™]

Quote:

Originally Posted by DasSchwarzeT

Just remove the "MakeGuild" Fix. It's not necessary.

You don't have to remove the codes in the source files.

I really don't know how many times I should say this. You don't have to implement the second fix in your source files. The system is already checking the alpha characters 2 times. Just use the original codes.

Code:

DWORD CGuildManager::CreateGuild(TGuildCreateParameter& gcp)
{
	if (!gcp.master)
		return 0;

	if (!check_name(gcp.name))
	{
		gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<길드> 길드 이름이 적합하지 않습니다."));
		return 0;
	}

	std::auto_ptr<SQLMsg> pmsg(DBManager::instance().DirectQuery("SELECT COUNT(*) FROM guild%s WHERE name = '%s'",
				get_table_postfix(), gcp.name));

	if (pmsg->Get()->uiNumRows > 0)
	{
		MYSQL_ROW row = mysql_fetch_row(pmsg->Get()->pSQLResult);

		if (!(row[0] && row[0][0] == '0'))
		{
			gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<길드> 이미 같은 이름의 길드가 있습니다."));
			return 0;
		}
	}
	else
	{
		gcp.master->ChatPacket(CHAT_TYPE_INFO, LC_TEXT("<길드> 길드를 생성할 수 없습니다."));
		return 0;
	}

	// new CGuild(gcp) queries guild tables and tell dbcache to notice other game servers.
	// other game server calls CGuildManager::LoadGuild to load guild.
	CGuild * pg = M2_NEW CGuild(gcp);
	m_mapGuild.insert(std::make_pair(pg->GetID(), pg));
	return pg->GetID();
}

Kind Regards ~ Ken

[xcorper]

Thank you.