From 730738faf948c49664165dd1417d2b141b4384ae Mon Sep 17 00:00:00 2001
From: Fryguy <fryguy503@gmail.com>
Date: Sat, 12 Aug 2023 21:47:22 -0400
Subject: [PATCH] [Bug] Escape item name in trader audit. (#3540)

* [Bug] Escape item name in trader audit.

Quick fix to escape the item names in Trader Audit.

* Update trading.cpp

---------

Co-authored-by: Alex King <89047260+Kinglykrab@users.noreply.github.com>
---
 zone/trading.cpp | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/zone/trading.cpp b/zone/trading.cpp
index b0caf6b55..eebdcf720 100644
--- a/zone/trading.cpp
+++ b/zone/trading.cpp
@@ -1459,10 +1459,17 @@ void Client::TradeRequestFailed(const EQApplicationPacket* app) {
 
 static void BazaarAuditTrail(const char *seller, const char *buyer, const char *itemName, int quantity, int totalCost, int tranType) {
 
-	std::string query = StringFormat("INSERT INTO `trader_audit` "
-                                    "(`time`, `seller`, `buyer`, `itemname`, `quantity`, `totalcost`, `trantype`) "
-                                    "VALUES (NOW(), '%s', '%s', '%s', %i, %i, %i)",
-                                    seller, buyer, itemName, quantity, totalCost, tranType);
+	const std::string& query = fmt::format(
+		"INSERT INTO `trader_audit` "
+        	"(`time`, `seller`, `buyer`, `itemname`, `quantity`, `totalcost`, `trantype`) "
+		"VALUES (NOW(), '{}', '{}', '{}', {}, {}, {})",
+		seller,
+		buyer,
+		Strings::Escape(itemName),
+		quantity,
+		totalCost,
+		tranType
+	);
 	database.QueryDatabase(query);
 }