diff --git a/code/modules/admin/DB ban/functions.dm b/code/modules/admin/DB ban/functions.dm index c7d9b68037d..329fac62e98 100644 --- a/code/modules/admin/DB ban/functions.dm +++ b/code/modules/admin/DB ban/functions.dm @@ -113,7 +113,7 @@ datum/admins/proc/DB_ban_record(var/bantype, var/mob/banned_mob, var/duration = else adminwho += ", [C]" - reason = sql_sanitize_text(reason) + reason = sanitizeSQL(reason) if(maxadminbancheck) var/DBQuery/adm_query = dbcon.NewQuery("SELECT count(id) AS num FROM [format_table_name("ban")] WHERE (a_ckey = '[a_ckey]') AND (bantype = 'ADMIN_PERMABAN' OR (bantype = 'ADMIN_TEMPBAN' AND expiration_time > Now())) AND isnull(unbanned)") @@ -235,14 +235,14 @@ datum/admins/proc/DB_ban_edit(var/banid = null, var/param = null) usr << "Invalid ban id. Contact the database admin" return - reason = sql_sanitize_text(reason) + reason = sanitizeSQL(reason) var/value switch(param) if("reason") if(!value) value = input("Insert the new reason for [pckey]'s ban", "New Reason", "[reason]", null) as null|text - value = sql_sanitize_text(value) + value = sanitizeSQL(value) if(!value) usr << "Cancelled" return diff --git a/code/modules/admin/banappearance.dm b/code/modules/admin/banappearance.dm index 991fa9ad362..be59efff4f7 100644 --- a/code/modules/admin/banappearance.dm +++ b/code/modules/admin/banappearance.dm @@ -99,7 +99,7 @@ proc/DB_ban_isappearancebanned(var/playerckey) if(!dbcon.IsConnected()) return - var/sqlplayerckey = sql_sanitize_text(ckey(playerckey)) + var/sqlplayerckey = sanitizeSQL(ckey(playerckey)) var/DBQuery/query = dbcon.NewQuery("SELECT id FROM [format_table_name("ban")] WHERE CKEY = '[sqlplayerckey]' AND ((bantype = 'APPEARANCE_PERMABAN') OR (bantype = 'APPEARANCE_TEMPBAN' AND expiration_time > Now())) AND unbanned != 1") query.Execute() diff --git a/code/modules/client/client procs.dm b/code/modules/client/client procs.dm index 9cec6893165..e9876b2d1df 100644 --- a/code/modules/client/client procs.dm +++ b/code/modules/client/client procs.dm @@ -163,7 +163,7 @@ var/next_external_rsc = 0 if(!dbcon.IsConnected()) return - var/sql_ckey = sql_sanitize_text(src.ckey) + var/sql_ckey = sanitizeSQL(src.ckey) var/DBQuery/query = dbcon.NewQuery("SELECT id, datediff(Now(),firstseen) as age FROM [format_table_name("player")] WHERE ckey = '[sql_ckey]'") query.Execute() @@ -198,9 +198,9 @@ var/next_external_rsc = 0 if(src.holder && src.holder.rank) admin_rank = src.holder.rank.name - var/sql_ip = sql_sanitize_text(src.address) - var/sql_computerid = sql_sanitize_text(src.computer_id) - var/sql_admin_rank = sql_sanitize_text(admin_rank) + var/sql_ip = sanitizeSQL(src.address) + var/sql_computerid = sanitizeSQL(src.computer_id) + var/sql_admin_rank = sanitizeSQL(admin_rank) if(sql_id) diff --git a/code/modules/research/message_server.dm b/code/modules/research/message_server.dm index c5dd5d2ae50..be9331a9c7f 100644 --- a/code/modules/research/message_server.dm +++ b/code/modules/research/message_server.dm @@ -290,17 +290,11 @@ var/obj/machinery/blackbox_recorder/blackbox var/DBQuery/query_insert = dbcon.NewQuery(sql) query_insert.Execute() -// Sanitize inputs to avoid SQL injection attacks -proc/sql_sanitize_text(var/text) - text = replacetext(text, "'", "''") - text = replacetext(text, ";", "") - text = replacetext(text, "&", "") - return text proc/feedback_set(var/variable,var/value) if(!blackbox) return - variable = sql_sanitize_text(variable) + variable = sanitizeSQL(variable) var/datum/feedback_variable/FV = blackbox.find_feedback_datum(variable) @@ -311,7 +305,7 @@ proc/feedback_set(var/variable,var/value) proc/feedback_inc(var/variable,var/value) if(!blackbox) return - variable = sql_sanitize_text(variable) + variable = sanitizeSQL(variable) var/datum/feedback_variable/FV = blackbox.find_feedback_datum(variable) @@ -322,7 +316,7 @@ proc/feedback_inc(var/variable,var/value) proc/feedback_dec(var/variable,var/value) if(!blackbox) return - variable = sql_sanitize_text(variable) + variable = sanitizeSQL(variable) var/datum/feedback_variable/FV = blackbox.find_feedback_datum(variable) @@ -333,8 +327,8 @@ proc/feedback_dec(var/variable,var/value) proc/feedback_set_details(var/variable,var/details) if(!blackbox) return - variable = sql_sanitize_text(variable) - details = sql_sanitize_text(details) + variable = sanitizeSQL(variable) + details = sanitizeSQL(details) var/datum/feedback_variable/FV = blackbox.find_feedback_datum(variable) @@ -345,8 +339,8 @@ proc/feedback_set_details(var/variable,var/details) proc/feedback_add_details(var/variable,var/details) if(!blackbox) return - variable = sql_sanitize_text(variable) - details = sql_sanitize_text(details) + variable = sanitizeSQL(variable) + details = sanitizeSQL(details) var/datum/feedback_variable/FV = blackbox.find_feedback_datum(variable)