From e5f7d164cbf958cabd6f6f7da9cf56356e565c18 Mon Sep 17 00:00:00 2001 From: TheMatt2 Date: Thu, 6 Jan 2022 21:12:47 -0500 Subject: [PATCH] Additional SQLite lookup sanitizing. Using CDClientDatabase::ExecuteQueryWithArgs() across all known lookups. --- dGame/dBehaviors/Behavior.cpp | 31 ++++++------------- dGame/dBehaviors/SwitchMultipleBehavior.cpp | 16 +++++----- dGame/dComponents/BaseCombatAIComponent.cpp | 17 ++++------ dGame/dComponents/BuffComponent.cpp | 8 ++--- dGame/dComponents/DestroyableComponent.cpp | 7 ++--- dGame/dComponents/InventoryComponent.cpp | 18 +++++------ dGame/dComponents/MissionComponent.cpp | 7 ++--- dGame/dComponents/PetComponent.cpp | 11 +++---- .../PropertyManagementComponent.cpp | 16 ++++------ .../RocketLaunchpadControlComponent.cpp | 8 ++--- dGame/dComponents/SkillComponent.cpp | 25 ++++++--------- dGame/dGameMessages/GameMessages.cpp | 8 ++--- dGame/dInventory/Item.cpp | 8 ++--- dGame/dUtilities/Preconditions.cpp | 11 +++---- dWorldServer/WorldServer.cpp | 8 ++--- dZoneManager/dZoneManager.cpp | 5 +-- 16 files changed, 75 insertions(+), 129 deletions(-) diff --git a/dGame/dBehaviors/Behavior.cpp b/dGame/dBehaviors/Behavior.cpp index 56a09c57..2e3290f7 100644 --- a/dGame/dBehaviors/Behavior.cpp +++ b/dGame/dBehaviors/Behavior.cpp @@ -275,13 +275,10 @@ Behavior* Behavior::CreateBehavior(const uint32_t behaviorId) return behavior; } -BehaviorTemplates Behavior::GetBehaviorTemplate(const uint32_t behaviorId) -{ - std::stringstream query; - - query << "SELECT templateID FROM BehaviorTemplate WHERE behaviorID = " << std::to_string(behaviorId); - - auto result = CDClientDatabase::ExecuteQuery(query.str()); +BehaviorTemplates Behavior::GetBehaviorTemplate(const uint32_t behaviorId) { + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT templateID FROM BehaviorTemplate WHERE behaviorID = %u;", + behaviorId); // Make sure we do not proceed if we are trying to load an invalid behavior if (result.eof()) @@ -409,15 +406,9 @@ Behavior::Behavior(const uint32_t behaviorId) this->m_templateId = BehaviorTemplates::BEHAVIOR_EMPTY; } - /* - * Get standard info - */ - - std::stringstream query; - - query << "SELECT templateID, effectID, effectHandle FROM BehaviorTemplate WHERE behaviorID = " << std::to_string(behaviorId); - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT templateID, effectID, effectHandle FROM BehaviorTemplate WHERE behaviorID = %u;", + behaviorId); // Make sure we do not proceed if we are trying to load an invalid behavior if (result.eof()) @@ -490,11 +481,9 @@ std::map Behavior::GetParameterNames() const { std::map parameters; - std::stringstream query; - - query << "SELECT parameterID, value FROM BehaviorParameter WHERE behaviorID = " << std::to_string(this->m_behaviorId); - - auto tableData = CDClientDatabase::ExecuteQuery(query.str()); + auto tableData = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT parameterID, value FROM BehaviorParameter WHERE behaviorID = %u;", + this->m_behaviorId); while (!tableData.eof()) { diff --git a/dGame/dBehaviors/SwitchMultipleBehavior.cpp b/dGame/dBehaviors/SwitchMultipleBehavior.cpp index 691e8b53..062ae9f0 100644 --- a/dGame/dBehaviors/SwitchMultipleBehavior.cpp +++ b/dGame/dBehaviors/SwitchMultipleBehavior.cpp @@ -39,15 +39,13 @@ void SwitchMultipleBehavior::Calculate(BehaviorContext* context, RakNet::BitStre // TODO } -void SwitchMultipleBehavior::Load() -{ - const auto b = std::to_string(this->m_behaviorId); - std::stringstream query; - query << "SELECT replace(bP1.parameterID, 'behavior ', '') as key, bP1.value as behavior, " - << "(select bP2.value FROM BehaviorParameter bP2 WHERE bP2.behaviorID = " << b << " AND bP2.parameterID LIKE 'value %' " - << "AND replace(bP1.parameterID, 'behavior ', '') = replace(bP2.parameterID, 'value ', '')) as value " - << "FROM BehaviorParameter bP1 WHERE bP1.behaviorID = " << b << " AND bP1.parameterID LIKE 'behavior %'"; - auto result = CDClientDatabase::ExecuteQuery(query.str()); +void SwitchMultipleBehavior::Load() { + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT replace(bP1.parameterID, 'behavior ', '') as key, bP1.value as behavior, " + "(select bP2.value FROM BehaviorParameter bP2 WHERE bP2.behaviorID = %u AND bP2.parameterID LIKE 'value %' " + "AND replace(bP1.parameterID, 'behavior ', '') = replace(bP2.parameterID, 'value ', '')) as value " + "FROM BehaviorParameter bP1 WHERE bP1.behaviorID = %u AND bP1.parameterID LIKE 'behavior %';", + this->m_behaviorId, this->m_behaviorId); while (!result.eof()) { const auto behavior_id = static_cast(result.getFloatField(1)); diff --git a/dGame/dComponents/BaseCombatAIComponent.cpp b/dGame/dComponents/BaseCombatAIComponent.cpp index ae929d57..994f49c4 100644 --- a/dGame/dComponents/BaseCombatAIComponent.cpp +++ b/dGame/dComponents/BaseCombatAIComponent.cpp @@ -35,11 +35,9 @@ BaseCombatAIComponent::BaseCombatAIComponent(Entity* parent, const uint32_t id) m_SoftTimer = 5.0f; //Grab the aggro information from BaseCombatAI: - std::stringstream componentQuery; - - componentQuery << "SELECT aggroRadius, tetherSpeed, pursuitSpeed, softTetherRadius, hardTetherRadius FROM BaseCombatAIComponent WHERE id = " << std::to_string(id); - - auto componentResult = CDClientDatabase::ExecuteQuery(componentQuery.str()); + auto componentResult = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT aggroRadius, tetherSpeed, pursuitSpeed, softTetherRadius, hardTetherRadius FROM BaseCombatAIComponent WHERE id = %u;", + id); if (!componentResult.eof()) { @@ -64,12 +62,9 @@ BaseCombatAIComponent::BaseCombatAIComponent(Entity* parent, const uint32_t id) /* * Find skills */ - - std::stringstream query; - - query << "SELECT skillID, cooldown, behaviorID FROM SkillBehavior WHERE skillID IN (SELECT skillID FROM ObjectSkills WHERE objectTemplate = " << std::to_string(parent->GetLOT()) << " )"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT skillID, cooldown, behaviorID FROM SkillBehavior WHERE skillID IN (SELECT skillID FROM ObjectSkills WHERE objectTemplate = %d);", + parent->GetLOT()); while (!result.eof()) { const auto skillId = static_cast(result.getIntField(0)); diff --git a/dGame/dComponents/BuffComponent.cpp b/dGame/dComponents/BuffComponent.cpp index 06c859c8..afa5b321 100644 --- a/dGame/dComponents/BuffComponent.cpp +++ b/dGame/dComponents/BuffComponent.cpp @@ -371,11 +371,9 @@ const std::vector& BuffComponent::GetBuffParameters(int32_t buffI return pair->second; } - std::stringstream query; - - query << "SELECT * FROM BuffParameters WHERE BuffID = " << std::to_string(buffId) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT * FROM BuffParameters WHERE BuffID = %d;", + buffId); std::vector parameters {}; diff --git a/dGame/dComponents/DestroyableComponent.cpp b/dGame/dComponents/DestroyableComponent.cpp index fb4dfe61..91ff8b6e 100644 --- a/dGame/dComponents/DestroyableComponent.cpp +++ b/dGame/dComponents/DestroyableComponent.cpp @@ -373,11 +373,8 @@ void DestroyableComponent::AddFaction(const int32_t factionID, const bool ignore m_FactionIDs.push_back(factionID); m_DirtyHealth = true; - std::stringstream query; - - query << "SELECT enemyList FROM Factions WHERE faction = " << std::to_string(factionID); - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT enemyList FROM Factions WHERE faction = %d;", factionID); if (result.eof()) return; diff --git a/dGame/dComponents/InventoryComponent.cpp b/dGame/dComponents/InventoryComponent.cpp index 50ea26b1..1f9b4cc6 100644 --- a/dGame/dComponents/InventoryComponent.cpp +++ b/dGame/dComponents/InventoryComponent.cpp @@ -1136,22 +1136,18 @@ bool InventoryComponent::IsEquipped(const LOT lot) const return false; } -void InventoryComponent::CheckItemSet(const LOT lot) -{ +void InventoryComponent::CheckItemSet(const LOT lot) { // Check if the lot is in the item set cache - if (std::find(m_ItemSetsChecked.begin(), m_ItemSetsChecked.end(), lot) != m_ItemSetsChecked.end()) - { + if (std::find(m_ItemSetsChecked.begin(), m_ItemSetsChecked.end(), lot) != m_ItemSetsChecked.end()) { return; } - std::stringstream query; + std::cout << "INVENTORY CHECK" << std::endl; + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT setID FROM ItemSets WHERE itemIDs LIKE '%%%d%%';", + lot); - query << "SELECT setID FROM ItemSets WHERE itemIDs LIKE '%" << std::to_string(lot) << "%'"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); - - while (!result.eof()) - { + while (!result.eof()) { const auto id = result.getIntField(0); bool found = false; diff --git a/dGame/dComponents/MissionComponent.cpp b/dGame/dComponents/MissionComponent.cpp index a0e63914..5945394b 100644 --- a/dGame/dComponents/MissionComponent.cpp +++ b/dGame/dComponents/MissionComponent.cpp @@ -450,11 +450,8 @@ const std::vector& MissionComponent::QueryAchievements(MissionTaskType } bool MissionComponent::RequiresItem(const LOT lot) { - std::stringstream query; - - query << "SELECT type FROM Objects WHERE id = " << std::to_string(lot); - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT type FROM Objects WHERE id = %d;", lot); if (result.eof()) { return false; diff --git a/dGame/dComponents/PetComponent.cpp b/dGame/dComponents/PetComponent.cpp index e605908f..8c51791a 100644 --- a/dGame/dComponents/PetComponent.cpp +++ b/dGame/dComponents/PetComponent.cpp @@ -166,13 +166,10 @@ void PetComponent::OnUse(Entity* originator) std::string buildFile; - if (cached == buildCache.end()) - { - std::stringstream query; - - query << "SELECT ValidPiecesLXF, PuzzleModelLot, Timelimit, NumValidPieces, imagCostPerBuild FROM TamingBuildPuzzles WHERE NPCLot = " << std::to_string(m_Parent->GetLOT()) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + if (cached == buildCache.end()) { + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT ValidPiecesLXF, PuzzleModelLot, Timelimit, NumValidPieces, imagCostPerBuild FROM TamingBuildPuzzles WHERE NPCLot = %d;", + m_Parent->GetLOT()); if (result.eof()) { diff --git a/dGame/dComponents/PropertyManagementComponent.cpp b/dGame/dComponents/PropertyManagementComponent.cpp index bf89eb22..543f99a2 100644 --- a/dGame/dComponents/PropertyManagementComponent.cpp +++ b/dGame/dComponents/PropertyManagementComponent.cpp @@ -40,11 +40,9 @@ PropertyManagementComponent::PropertyManagementComponent(Entity* parent) : Compo const auto zoneId = worldId.GetMapID(); const auto cloneId = worldId.GetCloneID(); - std::stringstream query; - - query << "SELECT id FROM PropertyTemplate WHERE mapID = " << std::to_string(zoneId) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT id FROM PropertyTemplate WHERE mapID = %d;", + (int) zoneId); if (result.eof() || result.fieldIsNull(0)) { @@ -97,12 +95,10 @@ void PropertyManagementComponent::SetOwner(Entity* value) std::vector PropertyManagementComponent::GetPaths() const { const auto zoneId = dZoneManager::Instance()->GetZone()->GetWorldID(); - - std::stringstream query {}; - query << "SELECT path FROM PropertyTemplate WHERE mapID = " << std::to_string(zoneId) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT path FROM PropertyTemplate WHERE mapID = %u;", + zoneId); std::vector paths {}; diff --git a/dGame/dComponents/RocketLaunchpadControlComponent.cpp b/dGame/dComponents/RocketLaunchpadControlComponent.cpp index 049a44b6..a117fffc 100644 --- a/dGame/dComponents/RocketLaunchpadControlComponent.cpp +++ b/dGame/dComponents/RocketLaunchpadControlComponent.cpp @@ -18,11 +18,9 @@ #include "PacketUtils.h" RocketLaunchpadControlComponent::RocketLaunchpadControlComponent(Entity* parent, int rocketId) : Component(parent) { - std::stringstream query; - - query << "SELECT targetZone, defaultZoneID, targetScene, altLandingPrecondition, altLandingSpawnPointName FROM RocketLaunchpadControlComponent WHERE id = " << std::to_string(rocketId); - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT targetZone, defaultZoneID, targetScene, altLandingPrecondition, altLandingSpawnPointName FROM RocketLaunchpadControlComponent WHERE id = %d;", + rocketId); if (!result.eof() && !result.fieldIsNull(0)) { diff --git a/dGame/dComponents/SkillComponent.cpp b/dGame/dComponents/SkillComponent.cpp index 0846f014..4396c669 100644 --- a/dGame/dComponents/SkillComponent.cpp +++ b/dGame/dComponents/SkillComponent.cpp @@ -86,14 +86,11 @@ void SkillComponent::SyncPlayerProjectile(const LWOOBJID projectileId, RakNet::B const auto sync_entry = this->m_managedProjectiles.at(index); - std::stringstream query; + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT behaviorID FROM SkillBehavior WHERE skillID = (SELECT skillID FROM ObjectSkills WHERE objectTemplate = %d);", + sync_entry.lot); - query << "SELECT behaviorID FROM SkillBehavior WHERE skillID = (SELECT skillID FROM ObjectSkills WHERE objectTemplate = " << std::to_string(sync_entry.lot) << ")"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); - - if (result.eof()) - { + if (result.eof()) { Game::logger->Log("SkillComponent", "Failed to find skill id for (%i)!\n", sync_entry.lot); return; @@ -428,8 +425,7 @@ void SkillComponent::SyncProjectileCalculation(const ProjectileSyncEntry& entry) { auto* other = EntityManager::Instance()->GetEntity(entry.branchContext.target); - if (other == nullptr) - { + if (other == nullptr) { if (entry.branchContext.target != LWOOBJID_EMPTY) { Game::logger->Log("SkillComponent", "Invalid projectile target (%llu)!\n", entry.branchContext.target); @@ -438,14 +434,11 @@ void SkillComponent::SyncProjectileCalculation(const ProjectileSyncEntry& entry) return; } - std::stringstream query; + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT behaviorID FROM SkillBehavior WHERE skillID = (SELECT skillID FROM ObjectSkills WHERE objectTemplate = %d);", + entry.lot); - query << "SELECT behaviorID FROM SkillBehavior WHERE skillID = (SELECT skillID FROM ObjectSkills WHERE objectTemplate = " << std::to_string(entry.lot) << ")"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); - - if (result.eof()) - { + if (result.eof()) { Game::logger->Log("SkillComponent", "Failed to find skill id for (%i)!\n", entry.lot); return; diff --git a/dGame/dGameMessages/GameMessages.cpp b/dGame/dGameMessages/GameMessages.cpp index cd7910b4..0e30244b 100644 --- a/dGame/dGameMessages/GameMessages.cpp +++ b/dGame/dGameMessages/GameMessages.cpp @@ -2509,11 +2509,9 @@ void GameMessages::HandleBBBSaveRequest(RakNet::BitStream* inStream, Entity* ent const auto zoneId = worldId.GetMapID(); const auto cloneId = worldId.GetCloneID(); - std::stringstream query; - - query << "SELECT id FROM PropertyTemplate WHERE mapID = " << std::to_string(zoneId) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT id FROM PropertyTemplate WHERE mapID = %d;", + (int) zoneId); if (result.eof() || result.fieldIsNull(0)) { return; diff --git a/dGame/dInventory/Item.cpp b/dGame/dInventory/Item.cpp index 20f5321a..92a208cb 100644 --- a/dGame/dInventory/Item.cpp +++ b/dGame/dInventory/Item.cpp @@ -386,11 +386,9 @@ void Item::DisassembleModel() const auto componentId = table->GetByIDAndType(GetLot(), COMPONENT_TYPE_RENDER); - std::stringstream query; - - query << "SELECT render_asset FROM RenderComponent WHERE id = " << std::to_string(componentId) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT render_asset FROM RenderComponent WHERE id = %d;", + componentId); if (result.eof()) { diff --git a/dGame/dUtilities/Preconditions.cpp b/dGame/dUtilities/Preconditions.cpp index b29af130..5b68685c 100644 --- a/dGame/dUtilities/Preconditions.cpp +++ b/dGame/dUtilities/Preconditions.cpp @@ -15,13 +15,10 @@ std::map Preconditions::cache = {}; -Precondition::Precondition(const uint32_t condition) -{ - std::stringstream query; - - query << "SELECT type, targetLOT, targetCount FROM Preconditions WHERE id = " << std::to_string(condition) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); +Precondition::Precondition(const uint32_t condition) { + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT type, targetLOT, targetCount FROM Preconditions WHERE id = %u;", + condition); if (result.eof()) { diff --git a/dWorldServer/WorldServer.cpp b/dWorldServer/WorldServer.cpp index 2a6cbaa5..ce3774e9 100644 --- a/dWorldServer/WorldServer.cpp +++ b/dWorldServer/WorldServer.cpp @@ -1059,11 +1059,9 @@ void HandlePacket(Packet* packet) { const auto zoneId = Game::server->GetZoneID(); const auto cloneId = g_CloneID; - std::stringstream query; - - query << "SELECT id FROM PropertyTemplate WHERE mapID = " << std::to_string(zoneId) << ";"; - - auto result = CDClientDatabase::ExecuteQuery(query.str()); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT id FROM PropertyTemplate WHERE mapID = %u;", + zoneId); if (result.eof() || result.fieldIsNull(0)) { Game::logger->Log("WorldServer", "No property templates found for zone %d, not sending BBB\n", zoneId); diff --git a/dZoneManager/dZoneManager.cpp b/dZoneManager/dZoneManager.cpp index d2188f4f..6ed6c719 100644 --- a/dZoneManager/dZoneManager.cpp +++ b/dZoneManager/dZoneManager.cpp @@ -26,8 +26,9 @@ void dZoneManager::Initialize(const LWOZONEID& zoneID) { LOT zoneControlTemplate = 2365; - std::stringstream query; - auto result = CDClientDatabase::ExecuteQuery("SELECT zoneControlTemplate, ghostdistance_min, ghostdistance FROM ZoneTable WHERE zoneID = " + std::to_string(zoneID.GetMapID())); + auto result = CDClientDatabase::ExecuteQueryWithArgs( + "SELECT zoneControlTemplate, ghostdistance_min, ghostdistance FROM ZoneTable WHERE zoneID = %d;", + (int) zoneID.GetMapID()); if (!result.eof()) { zoneControlTemplate = result.getIntField("zoneControlTemplate", 2365);