Implementing TGSQL security

code/modules/tgs/v5/chat_commands.dm

@@ -71,12 +71,13 @@ GLOBAL_LIST_EMPTY(pending_discord_registrations)
 
 /datum/tgs_chat_command/register/Run(datum/tgs_chat_user/sender, params)
 	// Try to find if that ID is registered to someone already
-	var/sql_discord = sql_sanitize_text(sender.id)
-	var/DBQuery/query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE discord_id = '[sql_discord]'") //CHOMPEdit TGSQL
+	//var/sql_discord = sql_sanitize_text(sender.id) //CHOMPEdit TGSQL
+	var/DBQuery/query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE discord_id = :t_discord", list("t_discord"=sender.id)) //CHOMPEdit TGSQL
 	query.Execute()
 	if(query.NextRow())
+		qdel(query) //CHOMPEdit TGSQL
 		return "[sender.friendly_name], your Discord ID is already registered to a Byond username. Please contact an administrator if you changed your Byond username or Discord ID."
-	
+	qdel(query) //CHOMPEdit TGSQL
 	var/key_to_find = "[ckey(params)]"
 
 	// They didn't provide anything worth looking up.
@@ -94,18 +95,20 @@ GLOBAL_LIST_EMPTY(pending_discord_registrations)
 	if(!user)
 		return "[sender.friendly_name], I couldn't find a logged-in user with the username of '[key_to_find]', which is what you provided after conversion to Byond's ckey format. Please connect to the game server and try again."
 	
-	var/sql_ckey = sql_sanitize_text(key_to_find)
-	query = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE ckey = '[sql_ckey]'") //CHOMPEdit TGSQL
-	query.Execute()
+	//var/sql_ckey = sql_sanitize_text(key_to_find) //CHOMPEdit TGSQL
+	var/DBQuery/query2 = SSdbcore.NewQuery("SELECT discord_id FROM erro_player WHERE ckey = :t_ckey",list("t_ckey" = key_to_find)) //CHOMPEdit TGSQL
+	query2.Execute() //CHOMPEdit TGSQL
 
 	// We somehow found their client, BUT they don't exist in the database
-	if(!query.NextRow())
+	if(!query2.NextRow()) //CHOMPEdit TGSQL
+		qdel(query2) //CHOMPEdit TGSQL
 		return "[sender.friendly_name], the server's database is either not responding or there's no evidence you've ever logged in. Please contact an administrator."
 	
 	// We found them in the database, AND they already have a discord ID assigned
-	if(query.item[1])
+	if(query2.item[1]) //CHOMPEdit TGSQL
+		qdel(query2) //CHOMPEdit TGSQL
 		return "[sender.friendly_name], it appears you've already registered your chat and game IDs. If you've changed game or chat usernames, please contact an administrator for help."
-		
+	qdel(query2) //CHOMPEdit TGSQL
 	// Okay. We found them, they're in the DB, and they have no discord ID set.
 	var/message = "<span class='notice'>A request has been sent from Discord to validate your Byond username, by '[sender.friendly_name]' in '[sender.channel.friendly_name]'</span>\
 	<br><span class='warning'>If you did not send this request, do not click the link below, and do notify an administrator in-game or on Discord ASAP.</span>\