CRITICAL (Does not affect player information): SQL Injection possible
uwainium opened this issue · comments
On the current version of development, the Commands.cpp file allows a user to submit a raw string to the DB, allowing for SQL Injection.
The methods in CDClient.cpp that are affected are:
CDClient::isAnimationValid
CDClient::getTemplateFromName
Fix: Use params in the SACommand object instead of concatenating strings.
More about those here