Changeset a55781e


Ignore:
Timestamp:
06/23/11 16:43:18 (10 years ago)
Author:
Philipp Spitzer <philipp@…>
Branches:
master, qt5
Children:
4be292a
Parents:
5438514
Message:

Fixed SQL error in searchEvent when no table was selected.
Prevented SQL injection in searchEvent.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/sql/sqlengine.cpp

    r5438514 ra55781e  
    293293        return -1;
    294294
     295    if (aColumns.empty()) return -1;
    295296
    296297    // DROP
     
    299300    execQuery( db, "CREATE TEMP TABLE SEARCH_EVENT ( xid_conference INTEGER  NOT NULL, id INTEGER NOT NULL )");
    300301    // INSERT
    301     QString query = QString("INSERT INTO SEARCH_EVENT ( xid_conference, id ) "
     302    QString sql = QString("INSERT INTO SEARCH_EVENT ( xid_conference, id ) "
    302303                "SELECT EVENT.xid_conference, EVENT.id FROM EVENT ");
    303304    if( aColumns.contains("ROOM") ){
    304         query += "INNER JOIN EVENT_ROOM ON ( EVENT.xid_conference = EVENT_ROOM.xid_conference AND EVENT.id = EVENT_ROOM.xid_event ) ";
    305         query += "INNER JOIN ROOM ON ( EVENT_ROOM.xid_room = ROOM.id ) ";
     305        sql += "INNER JOIN EVENT_ROOM ON ( EVENT.xid_conference = EVENT_ROOM.xid_conference AND EVENT.id = EVENT_ROOM.xid_event ) ";
     306        sql += "INNER JOIN ROOM ON ( EVENT_ROOM.xid_room = ROOM.id ) ";
    306307    }
    307308    if( aColumns.contains("PERSON") ){
    308         query += "INNER JOIN EVENT_PERSON ON ( EVENT.xid_conference = EVENT_PERSON.xid_conference AND EVENT.id = EVENT_PERSON.xid_event ) ";
    309         query += "INNER JOIN PERSON ON ( EVENT_PERSON.xid_person = PERSON.id ) ";
    310     }
    311     // TODO: avoid .arg
    312     query += QString("WHERE EVENT.xid_conference = %1 AND (").arg( aConferenceId );
     309        sql += "INNER JOIN EVENT_PERSON ON ( EVENT.xid_conference = EVENT_PERSON.xid_conference AND EVENT.id = EVENT_PERSON.xid_event ) ";
     310        sql += "INNER JOIN PERSON ON ( EVENT_PERSON.xid_person = PERSON.id ) ";
     311    }
     312    sql += QString("WHERE EVENT.xid_conference = %1 AND (").arg( aConferenceId );
    313313
    314314    foreach (QString table, aColumns.uniqueKeys()){
    315315        foreach (QString column, aColumns.values(table)){
    316             // TODO: SQL Injection!!!
    317             query += QString("%1.%2 LIKE '\%%3\%' OR ").arg( table, column, aKeyword );
    318         }
    319     }
    320     query.chop( QString(" OR ").length() );
    321     query += QString(");");
    322 
    323     execQuery( db, query );
     316            sql += QString("%1.%2 LIKE '\%' || :%1%2 || '\%' OR ").arg( table, column );
     317        }
     318    }
     319    sql.chop( QString(" OR ").length() );
     320    sql += QString(")");
     321
     322    QSqlQuery query(db);
     323    query.prepare(sql);
     324    foreach (QString table, aColumns.uniqueKeys()){
     325        foreach (QString column, aColumns.values(table)){
     326            query.bindValue(QString(":%1%2").arg(table, column), aKeyword );
     327        }
     328    }
     329
     330    if( !query.exec() ){
     331       qDebug() << "Could not execute search query: " << query.lastError().text();
     332       return -1;
     333    }
    324334
    325335    return 1;
Note: See TracChangeset for help on using the changeset viewer.