Changeset dc54e87


Ignore:
Timestamp:
06/23/11 17:02:15 (10 years ago)
Author:
Philipp Spitzer <philipp@…>
Branches:
master, qt5
Children:
96344e7
Parents:
4be292a
Message:

Prevented SQL injection in function addLinkToDB.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/sql/sqlengine.cpp

    r4be292a rdc54e87  
    278278    if (db.isValid() && db.isOpen())
    279279    {
    280         // TODO: SQL Injection!!!
    281         QString values = QString("'%1', '%2', '%3', '%4'").arg(aLink["event_id"],aLink["conference_id"],aLink["name"],aLink["url"]);
    282         QString query = QString("INSERT INTO LINK (xid_event, xid_conference, name, url) VALUES (%1)").arg(values);
    283         QSqlQuery result(query, db);
     280        QSqlQuery query(db);
     281        query.prepare("INSERT INTO LINK (xid_event, xid_conference, name, url) VALUES (:xid_event, :xid_conference, :name, :url)");
     282        query.bindValue(":xid_event", aLink["event_id"]);
     283        query.bindValue(":xid_conference", aLink["conference_id"]);
     284        query.bindValue(":name", aLink["name"]);
     285        query.bindValue(":url", aLink["url"]);
     286        if (!query.exec()) qDebug() << "Error executing 'insert into link' query: " << query.lastError();
    284287        //LOG_AUTOTEST(query);
    285288    }
Note: See TracChangeset for help on using the changeset viewer.