Changeset 909ea23

Timestamp:

06/23/11 08:46:31 (11 years ago)

Author:

Philipp Spitzer <philipp@…>

Branches:

master, qt5

Children:

141a5c2

Parents:

06eef78

Message:

void possible SQL injection in function addRoomToDB.

File:

• src/sql/sqlengine.cpp (modified) (3 diffs)

src/sql/sqlengine.cpp

@@ -245 +245 @@
         //   and assign autoincremented 'id' to aRoom
         // - if it exists, then we need to get its 'id' and assign it to aRoom
-        int roomId = -1;
+        aRoom["id"] = "";
         if(query.next()) // ROOM record with 'name' already exists: we need to get its 'id'
         {
-            roomId = query.value(0).toInt();
+            aRoom["id"] = query.value(0).toInt();
         }
         else // ROOM record doesn't exist yet, need to create it
         {
-            // TODO: SQL Injection!!!
-            QString values = QString("'%1', '%2', '%3'").arg(aRoom["conference_id"],aRoom["name"],aRoom["picture"]);
-            QString query = QString("INSERT INTO ROOM (xid_conference,name,picture) VALUES (%1)").arg(values);
-            QSqlQuery result (query, db);
-            roomId = result.lastInsertId().toInt(); // 'id' is assigned automatically
+            query = QSqlQuery(db);
+            query.prepare("INSERT INTO ROOM (xid_conference,name,picture) VALUES (:xid_conference, :name, :picture)");
+            query.bindValue(":xid_conference", aRoom["conference_id"]);
+            query.bindValue(":xid_name", aRoom["name"]);
+            query.bindValue(":xid_picture", aRoom["picture"]);
+            if (!query.exec()) qDebug() << "Could not execute 'insert into room ...' query." << query.lastError();
+            aRoom["id"] = query.lastInsertId().toInt(); // 'id' is assigned automatically
             //LOG_AUTOTEST(query);
         }
@@ -263 +265 @@
         query.bindValue(":conference_id", aRoom["conference_id"]);
         query.bindValue(":event_id", aRoom["event_id"]);
-        query.bindValue(":roomId", roomId);
-        if (!query.exec()) qDebug() << "Could not execute insert into event_room query:" << query.lastError();
+        query.bindValue(":roomId", aRoom["id"]);
+        if (!query.exec()) qDebug() << "Could not 'execute insert into event_room' query:" << query.lastError();
         //LOG_AUTOTEST(query);
     }
@@ -307 +309 @@
         query += "INNER JOIN PERSON ON ( EVENT_PERSON.xid_person = PERSON.id ) ";
     }
+    // TODO: avoid .arg
     query += QString("WHERE EVENT.xid_conference = %1 AND (").arg( aConferenceId );
 
     foreach (QString table, aColumns.uniqueKeys()){
         foreach (QString column, aColumns.values(table)){
+            // TODO: SQL Injection!!!
             query += QString("%1.%2 LIKE '\%%3\%' OR ").arg( table, column, aKeyword );
         }