🐛 San d'Orian Grapes generating SQL errors?

CatsEyeXI commented 4 months ago

I affirm:

[x] I understand that if I do not agree to the following points by completing the checkboxes my issue will be ignored.
[x] I have read and understood the Contributing Guide and the Code of Conduct.
[x] I have searched existing issues to see if the issue has already been opened, and I have checked the commit log to see if the issue has been resolved since my server was last updated.

OS / platform the server is running (if known)

Windows10/MariaDB 10.6

Branch affected by issue

base

Steps to reproduce

I unfortunately can't gather much context surrounding this error but looks like the formatting contained within this item name is causing SQL errors.

Zones_6.txt:[06/06/24 13:24:00:446][map][error] mysql_real_query: SQL_ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'or._grape' OR sortname LIKE 'san_d'or._grape'' at line 1 (1064) (SqlConnection::QueryStr:328)

Expected behavior

SQL statements should be formatted to sanely handle this item?

cocosolos commented 4 months ago

Looks like sortname is only used in a couple areas and this looks like GetItemIDByName called by !additem command.

RAIST5150 commented 4 months ago

Herm... could it be the single quotes monkeying up the query?

INSERT INTO `item_basic` VALUES (4431,0,'bunch_of_san_dorian_grapes','san_dor._grape',12,1548,@INGREDIENTS,0,19);;

Only question it because I once saw an issue with addresses in a tax records file conversion run that was using single quotes during an extraction. When people put in something like ST. JOHN'S in an address it threw the formatting out of whack.

Just weird to see it cut off right where you have that weirdness we have to watch out for with San d'oria, when it isn't formatted like that in items_basic.

'san_d'or._grape'' in the query

san_dor._grape in the data

Xaver-DaRed commented 4 months ago

This is what we have imagen

This is the error near 'or._grape' OR sortname LIKE 'san_d'or._grape''

Meaning, it's probably a module override problem, couse we do not have a ' in the item long-name nor short-name

cocosolos commented 4 months ago

Most likely source of query.

This function is only used in !additem, so it's likely a module or a GM or something. If you're directly using client extracted strings somewhere it'll probably fail.

CatsEyeXI commented 4 months ago

hi, seems it is indeed likely that a gm used single quotes in the !additem command. Will close, thanks for looking.

zach2good commented 4 months ago

If a user/gm can input arbitrary text directly into a sql statement: this is a very bad thing that should be patched, even if it's gm-only 👀

LandSandBoat / server