Changeset dcefa71


Ignore:
Timestamp:
06/23/11 17:47:43 (10 years ago)
Author:
Philipp Spitzer <philipp@…>
Branches:
master, qt5
Children:
fea60c8
Parents:
68b2df2
Message:

Prevented SQL injections in function addPersonToDB.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/sql/sqlengine.cpp

    r68b2df2 rdcefa71  
    217217    if (db.isValid() && db.isOpen())
    218218    {
    219         // TODO: SQL Injection!!!
    220         QString values = QString("'%1', '%2', '%3'").arg(aPerson["conference_id"],aPerson["id"],aPerson["name"]);
    221         QString query = QString("INSERT INTO PERSON (xid_conference,id,name) VALUES (%1)").arg(values);
    222         QSqlQuery result (query, db);
    223         //LOG_AUTOTEST(query);
    224 
    225         // TODO: SQL Injection!!!
    226         values = QString("'%1', '%2', '%3'").arg(aPerson["conference_id"],aPerson["event_id"],aPerson["id"]);
    227         query = QString("INSERT INTO EVENT_PERSON (xid_conference,xid_event,xid_person) VALUES (%1)").arg(values);
    228         QSqlQuery resultEventPerson (query, db);
    229         //LOG_AUTOTEST(query);
     219        QSqlQuery query(db);
     220        query.prepare("INSERT INTO PERSON (xid_conference,id,name) VALUES (:xid_conference, :id, :name)");
     221        query.bindValue(":xid_conference", aPerson["conference_id"]);
     222        query.bindValue(":id", aPerson["id"]);
     223        query.bindValue(":name", aPerson["name"]);
     224        query.exec(); // some queries fail due to the unique key constraint
     225        // if (!query.exec()) qDebug() << "SQL query 'insert into person' failed: " << query.lastError();
     226
     227        query = QSqlQuery(db);
     228        query.prepare("INSERT INTO EVENT_PERSON (xid_conference,xid_event,xid_person) VALUES (:xid_conference, :xid_event, :xid_person)");
     229        query.bindValue(":xid_conference", aPerson["conference_id"]);
     230        query.bindValue(":xid_event", aPerson["event_id"]);
     231        query.bindValue(":xid_person", aPerson["id"]);
     232        query.exec(); // some queries fail due to the unique key constraint
     233        // if (!query.exec()) qDebug() << "SQL query 'insert into event_person' failed: " << query.lastError();
    230234    }
    231235}
Note: See TracChangeset for help on using the changeset viewer.