Changeset 50c848a in confclerk_git


Ignore:
Timestamp:
08/30/17 19:44:17 (5 years ago)
Author:
Philipp Spitzer <philipp@…>
Branches:
master, qt5
Children:
e27a3f5
Parents:
511ff7e
git-author:
Martín Ferrari <tincho@…> (08/28/17 00:05:04)
git-committer:
Philipp Spitzer <philipp@…> (08/30/17 19:44:17)
Message:

Fix possibility for SQL injection attack.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/mvc/track.cpp

    r511ff7e r50c848a  
    4141    QSqlQuery query;
    4242    QString trackname = name();
    43     query.prepare("INSERT INTO " + sTableName + " (" + CONFERENCEID + "," + NAME + ")" + " VALUES " + "(\"" + QString::number(conferenceid()) + "\",\"" + trackname + "\")");
     43    query.prepare(
     44            QString("INSERT INTO %1 (%2, %3) VALUES (:xid_conference, :name)")
     45            .arg(sTableName, CONFERENCEID, NAME));
     46    query.bindValue(":xid_conference", conferenceid());
     47    query.bindValue(":name", trackname);
    4448    if (!query.exec())
    4549    {
    46         throw TrackInsertException("Inserting track '" + trackname + "' into database failed.");
     50        throw TrackInsertException(
     51                "Inserting track '" + trackname + "' into database failed: " +
     52                query.lastError().text());
    4753    }
    4854    QVariant variant = query.lastInsertId();
Note: See TracChangeset for help on using the changeset viewer.