Simplify database query from admin panel.

Vaflan · Vaflan · commit 90eb2533672a · 2023-04-10T21:45:43.000+03:00
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ Second step, add the library if the database uses MD5.
 * Copy "WZ_MD5_MOD.dll" from project to Microsoft SQL "Server\MSSQL\Binn\"
 *********************************************************************
 The third step is to change socks.
-* Change `config.php` and replace 'IP Address', 'Login', 'Password', 'DataBase'
+* Customize the file `config.php` and variable $mmw['sql'] replace '127.0.0.1', 'USER', 'PASSWORD'
 * If you will be installing from a non-local ip, you set CUSTOM_IP_ADDRESS in install.php
 * Open install http://localhost/install.php
 *********************************************************************
diff --git a/admin/acc.php b/admin/acc.php
@@ -368,13 +368,13 @@
 			$search = clean_var(stripslashes($_POST['search_account']));
 
 			$queryBuildWhere = !empty($_POST['search_type'])
-				? "LIKE '%{$search}%'"
-				: "= '{$search}'";
+				? "mi.memb___id LIKE '%{$search}%'"
+				: "mi.memb___id = '{$search}'";
 			$result = mssql_query("SELECT
 				mi.memb___id,mi.memb__pwd,mi.bloc_code,mi.country,mi.gender,ms.ConnectStat
 				FROM dbo.MEMB_INFO AS mi
 				LEFT JOIN dbo.MEMB_STAT AS ms ON ms.memb___id = mi.memb___id
-					WHERE mi.memb___id {$queryBuildWhere}");
+					WHERE {$queryBuildWhere}");
 
 			$rank = 1;
 			while ($row = mssql_fetch_row($result)) {
diff --git a/admin/acclist.php b/admin/acclist.php
@@ -45,10 +45,13 @@
 			mi.bloc_code,
 			mi.appl_days,
 			ms.ConnectStat,
-			ms.ConnectTM
-		FROM dbo.MEMB_INFO AS mi
-		LEFT JOIN dbo.MEMB_STAT AS ms ON ms.memb___id = mi.memb___id
-		ORDER BY appl_days");
+			ms.ConnectTM,
+			c.count
+			FROM dbo.MEMB_INFO AS mi
+				LEFT JOIN dbo.MEMB_STAT AS ms ON ms.memb___id = mi.memb___id
+				LEFT JOIN (SELECT COUNT(*) AS count, AccountID FROM dbo.Character GROUP BY AccountID) AS c ON c.AccountID = mi.memb___id
+				ORDER BY appl_days
+		");
 		while ($row = mssql_fetch_row($result)) {
 			$mode = $row[1];
 			if ($row[1] == 0) {
@@ -75,16 +78,14 @@
 			if ($row[3] === null) {
 				$status = '<img src="../images/death.gif" alt="death">';
 			}
-
-			$char_numb = mssql_num_rows(mssql_query("SELECT Name FROM dbo.Character WHERE AccountID='{$row[0]}'"));
 			?>
 			<tr>
 				<td align="center"><?php echo $rank++; ?>.</td>
 				<td><a href=?op=acc&acc=<?php echo $row[0]; ?>><?php echo $row[0]; ?></a></td>
 				<td><?php echo $mode; ?></td>
 				<td><?php echo time_format($row[2]); ?></td>
 				<td><?php echo $row[4] ? time_format($row[4]) : '---'; ?></td>
-				<td><?php echo $char_numb; ?></td>
+				<td><?php echo intval($row[5]); ?></td>
 				<td align="center"><?php echo $status; ?></td>
 				<td align="center">
 					<form action="" method="post">
diff --git a/admin/char.php b/admin/char.php
@@ -270,22 +270,34 @@
 			$search_type = $_POST['search_type'];
 
 			$queryBuildWhere = !empty($_POST['search_type'])
-				? "LIKE '%{$search}%'"
-				: "= '{$search}'";
-			$result = mssql_query("SELECT Name,Class,cLevel,{$mmw['reset_column']},strength,dexterity,vitality,energy,accountid,CtlCode FROM dbo.Character WHERE Name {$queryBuildWhere}");
+				? "c.Name LIKE '%{$search}%'"
+				: "c.Name = '{$search}'";
+			$result = mssql_query("SELECT
+				c.Name,
+				c.Class,
+				c.cLevel,
+				c.{$mmw['reset_column']},
+				c.Strength,
+				c.Dexterity,
+				c.Vitality,
+				c.Energy,
+				c.AccountID,
+				c.CtlCode,
+				ms.ConnectStat
+				FROM dbo.Character as c
+				LEFT JOIN dbo.MEMB_STAT as ms ON ms.memb___id = c.AccountID
+					WHERE {$queryBuildWhere}
+			");
 
 			$rank = 1;
 			while ($row = mssql_fetch_row($result)) {
-				$status_result = mssql_query("SELECT ConnectStat FROM dbo.MEMB_STAT WHERE memb___id='{$row[8]}'");
-				$status = mssql_fetch_row($status_result);
-
-				if ($status[0] == 0) {
+				if ($row[10] == 0) {
 					$status = '<img src="../images/offline.gif" alt="offline">';
 				}
-				if ($status[0] == 1) {
+				if ($row[10] == 1) {
 					$status = '<img src="../images/online.gif" alt="online">';
 				}
-				if ($status[0] === null) {
+				if ($row[10] === null) {
 					$status = '<img src="../images/death.gif" alt="death">';
 				}
 
diff --git a/admin/sqlquery.php b/admin/sqlquery.php
@@ -6,7 +6,7 @@
 $exampleQuery = "UPDATE table SET [column]=? WHERE [column]=?\n\nSELECT * FROM table WHERE [column]=?\n\nSELECT CAST(Items AS varbinary(1920)) FROM warehouse WHERE AccountID='?'";
 
 if (isset($_POST['sql_query_true'])) {
-	$sqlQuery = str_replace(array('\"', '\''), array('"', ''), $_POST['sql_query']);
+	$sqlQuery = str_replace(array('\"', '\'', '&#39;'), array('"', '', '\''), $_POST['sql_query']);
 	if ($sqlQueryResult = mssql_query($sqlQuery)) {
 		$queryResult = $mmw['warning']['green'] . 'Query done!';
 		writelog('a_sql_query', 'Query: <b>' . $sqlQuery . '</b> Has Been <span style="color:red">Injection</span>');
