I have never messed with CMangos nor do I have an7y knowledge of how-to setup,compile,build a CMangos server for testing.

but at first glance I would attempt something like this:
Code:

/// Ban an account or ban an IP address, duration_secs if it is positive used, otherwise permban
BanReturn World::BanAccount(BanMode mode, std::string nameOrIP, uint32 duration_secs, std::string reason, const std::string& author)
{
	LoginDatabase.escape_string(nameOrIP);
	LoginDatabase.escape_string(reason);
	std::string safe_author = author;
	LoginDatabase.escape_string(safe_author);

	QueryResult* resultAccounts = nullptr;                     // used for kicking

															   ///- Update the database with ban information
	switch (mode)
	{
	case BAN_IP:
		// No SQL injection as strings are escaped
		resultAccounts = LoginDatabase.PQuery("SELECT id FROM account WHERE last_ip = '%s'", nameOrIP.c_str());
		LoginDatabase.PExecute("INSERT INTO ip_banned VALUES ('%s',UNIX_TIMESTAMP(),UNIX_TIMESTAMP()+%u,'%s','%s')", nameOrIP.c_str(), duration_secs, safe_author.c_str(), reason.c_str());
		World::SendServerMessage(1, "IP:" + nameOrIP + " was banned by " + author + " due to: " + reason, nullptr);
		break;
	case BAN_ACCOUNT:
		// No SQL injection as string is escaped
		resultAccounts = LoginDatabase.PQuery("SELECT id FROM account WHERE username = '%s'", nameOrIP.c_str());
		World::SendServerMessage(1, "ACCT:" + nameOrIP + " was banned by " + author + " due to: " + reason, nullptr);
		break;
	case BAN_CHARACTER:
		// No SQL injection as string is escaped
		resultAccounts = CharacterDatabase.PQuery("SELECT account FROM characters WHERE name = '%s'", nameOrIP.c_str());
		World::SendServerMessage(1, nameOrIP + " was banned by " + author + " due to: " + reason, nullptr);
		break;
	default:
		return BAN_SYNTAX_ERROR;
	}

	if (!resultAccounts)
	{
		if (mode == BAN_IP)
			return BAN_SUCCESS;                             // ip correctly banned but nobody affected (yet)
		else
			return BAN_NOTFOUND;                            // Nobody to ban
	}

	///- Disconnect all affected players (for IP it can be several)
	do
	{
		Field* fieldsAccount = resultAccounts->Fetch();
		uint32 account = fieldsAccount->GetUInt32();

		if (mode != BAN_IP)
		{
			// No SQL injection as strings are escaped
			LoginDatabase.PExecute("INSERT INTO account_banned VALUES ('%u', UNIX_TIMESTAMP(), UNIX_TIMESTAMP()+%u, '%s', '%s', '1')",
				account, duration_secs, safe_author.c_str(), reason.c_str());
		}

		if (WorldSession* sess = FindSession(account))
			if (std::string(sess->GetPlayerName()) != author)
				sess->KickPlayer();
	} while (resultAccounts->NextRow());

	delete resultAccounts;
	return BAN_SUCCESS;
}
but this is where someone with some cmangos exp steps in ;P