aboutsummaryrefslogtreecommitdiff
path: root/frontend
diff options
context:
space:
mode:
Diffstat (limited to 'frontend')
-rw-r--r--frontend/GameData.cpp41
1 files changed, 22 insertions, 19 deletions
diff --git a/frontend/GameData.cpp b/frontend/GameData.cpp
index 1b7c548..6d22f8e 100644
--- a/frontend/GameData.cpp
+++ b/frontend/GameData.cpp
@@ -1,8 +1,8 @@
#include <memory>
-#include <unordered_map>
#include "backend/Enemy.h"
#include "backend/EnemyFactory.h"
+#include "backend/Exception.h"
#include "backend/LocationFactory.h"
#include "backend/Object.h"
#include "backend/ObjectFactory.h"
@@ -42,14 +42,14 @@ Enemy * GameData::create_enemy(const string & name) const {
auto row = query.row();
auto enemy = unique_ptr<Enemy>{ EnemyFactory::create_enemy(row.col<const char *>(0), row.col<const char *>(1)) };
int object_count = RNG::get().rand_int(Range<int> { row.col<int>(2), row.col<int>(3) });
- vector<string> object_names = this->random_objects(object_count);
- for (const string & name : object_names)
+ for (const string & name : this->random_objects(object_count))
enemy->add_hidden_object(this->create_object(name));
enemy->set_health(row.col<int>(4));
enemy->set_attack(static_cast<float>(row.col<int>(5)) / 100);
enemy->set_damage({ row.col<int>(6), row.col<int>(7) });
return enemy.release();
- } catch (...) {
+ } catch (Exception & e) {
+ printf("Fout bij aanmaken van vijand: %s\n", e.what());
return EnemyFactory::create_enemy(name.c_str());
}
}
@@ -136,22 +136,25 @@ void GameData::leaderbord_print() const {
}
vector<string> GameData::random_names(const string & table, unsigned count) const {
- static DBStatement query = this->db.prepare(R"(
- select naam
- from ?
- order by random()
- limit ?
- )");
- query.reset()
- .bind(table.c_str())
- .bind(count)
- ;
-
- vector<string> names = {};
- for (DBQueryRow & row : query.rows()) {
- names.push_back(row.col<const char *>(0));
+ if (count == 0) return {};
+ try {
+ // NOTE: Parameter placeholders cannot be used for database identifiers
+ // (i.e. the table name in this case), which makes this function vulnerable
+ // to SQL injection if the table argument contains user-controllable data.
+ String query_str = String::fmt("select naam from %s order by random() limit ?", table.c_str());
+ static DBStatement query = this->db.prepare(query_str.c_str());
+ query.reset()
+ .bind(count)
+ ;
+
+ vector<string> names = {};
+ for (DBQueryRow & row : query.rows()) {
+ names.push_back(row.col<const char *>(0));
+ }
+ return names;
+ } catch (Exception & e) {
+ throw Exception("genereren van %d willekeurige namen uit tabel %s: %s", count, table.c_str(), e.what());
}
- return names;
}
vector<string> GameData::random_locations(unsigned count) const {