escape username and password inside zm_user
by rogerroger288
This commit is contained in:
parent
5ae3cb8907
commit
93aed26a00
|
@ -100,14 +100,18 @@ bool User::canAccess( int monitor_id )
|
|||
User *zmLoadUser( const char *username, const char *password )
|
||||
{
|
||||
char sql[ZM_SQL_SML_BUFSIZ] = "";
|
||||
char safer_username[200];
|
||||
char safer_password[200];
|
||||
mysql_real_escape_string(&dbconn, safer_username, username, sizeof safer_username);
|
||||
mysql_real_escape_string(&dbconn, safer_password, password, sizeof safer_password);
|
||||
|
||||
if ( password )
|
||||
{
|
||||
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Password = password('%s') and Enabled = 1", username, password );
|
||||
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Password = password('%s') and Enabled = 1", safer_username, safer_password );
|
||||
}
|
||||
else
|
||||
{
|
||||
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Enabled = 1", username );
|
||||
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Enabled = 1", safer_username );
|
||||
}
|
||||
|
||||
if ( mysql_query( &dbconn, sql ) )
|
||||
|
|
Loading…
Reference in New Issue