escape username and password inside zm_user
by rogerroger288
This commit is contained in:
parent
5ae3cb8907
commit
93aed26a00
|
@ -100,14 +100,18 @@ bool User::canAccess( int monitor_id )
|
||||||
User *zmLoadUser( const char *username, const char *password )
|
User *zmLoadUser( const char *username, const char *password )
|
||||||
{
|
{
|
||||||
char sql[ZM_SQL_SML_BUFSIZ] = "";
|
char sql[ZM_SQL_SML_BUFSIZ] = "";
|
||||||
|
char safer_username[200];
|
||||||
|
char safer_password[200];
|
||||||
|
mysql_real_escape_string(&dbconn, safer_username, username, sizeof safer_username);
|
||||||
|
mysql_real_escape_string(&dbconn, safer_password, password, sizeof safer_password);
|
||||||
|
|
||||||
if ( password )
|
if ( password )
|
||||||
{
|
{
|
||||||
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Password = password('%s') and Enabled = 1", username, password );
|
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Password = password('%s') and Enabled = 1", safer_username, safer_password );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Enabled = 1", username );
|
snprintf( sql, sizeof(sql), "select Username, Password, Enabled, Stream+0, Events+0, Control+0, Monitors+0, System+0, MonitorIds from Users where Username = '%s' and Enabled = 1", safer_username );
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( mysql_query( &dbconn, sql ) )
|
if ( mysql_query( &dbconn, sql ) )
|
||||||
|
|
Loading…
Reference in New Issue