db: Add helper for escaping strings and use it
This commit is contained in:
Peter Keresztes Schmidt
parent
0edc91ffca
commit
cf9c47149f
|
|
@ -267,3 +267,15 @@ void zmDbQueue::push(std::string &&sql) {
|
|||
mQueue.push(std::move(sql));
|
||||
mCondition.notify_all();
|
||||
}
|
||||
|
||||
std::string zmDbEscapeString(const std::string& to_escape) {
|
||||
// According to docs, size of safer_whatever must be 2 * length + 1
|
||||
// due to unicode conversions + null terminator.
|
||||
std::string escaped((to_escape.length() * 2) + 1, '\0');
|
||||
|
||||
|
||||
size_t escaped_len = mysql_real_escape_string(&dbconn, &escaped[0], to_escape.c_str(), to_escape.length());
|
||||
escaped.resize(escaped_len);
|
||||
|
||||
return escaped;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,4 +78,6 @@ int zmDbDoUpdate(const char *query);
|
|||
MYSQL_RES * zmDbFetch(const char *query);
|
||||
zmDbRow *zmDbFetchOne(const char *query);
|
||||
|
||||
std::string zmDbEscapeString(const std::string& to_escape);
|
||||
|
||||
#endif // ZM_DB_H
|
||||
|
|
|
|||
|
|
@ -402,12 +402,9 @@ void Event::updateNotes(const StringSetMap &newNoteSetMap) {
|
|||
Error("Unable to execute sql '%s': %s", sql, mysql_stmt_error(stmt));
|
||||
}
|
||||
#else
|
||||
char sql[ZM_SQL_LGE_BUFSIZ];
|
||||
static char escapedNotes[ZM_SQL_MED_BUFSIZ];
|
||||
std::string escaped_notes = zmDbEscapeString(notes);
|
||||
|
||||
mysql_real_escape_string(&dbconn, escapedNotes, notes.c_str(), notes.length());
|
||||
|
||||
snprintf(sql, sizeof(sql), "UPDATE `Events` SET `Notes` = '%s' WHERE `Id` = %" PRIu64, escapedNotes, id);
|
||||
std::string sql = stringtf("UPDATE `Events` SET `Notes` = '%s' WHERE `Id` = %" PRIu64, escaped_notes.c_str(), id);
|
||||
dbQueue.push(std::move(sql));
|
||||
#endif
|
||||
} // end if update
|
||||
|
|
|
|||
|
|
@ -518,11 +518,7 @@ void Logger::logPrint(bool hex, const char *filepath, int line, int level, const
|
|||
|
||||
if (level <= mDatabaseLevel) {
|
||||
if (zmDbConnected) {
|
||||
int syslogSize = syslogEnd - syslogStart;
|
||||
std::string escapedString;
|
||||
escapedString.resize((syslogSize * 2) + 1);
|
||||
mysql_real_escape_string(&dbconn, &escapedString[0], syslogStart, syslogSize);
|
||||
escapedString.resize(std::strlen(escapedString.c_str()));
|
||||
std::string escapedString = zmDbEscapeString({syslogStart, syslogEnd});
|
||||
|
||||
std::string sql_string = stringtf(
|
||||
"INSERT INTO `Logs` "
|
||||
|
|
|
|||
|
|
@ -85,15 +85,7 @@ bool User::canAccess(int monitor_id) {
|
|||
// Function to load a user from username and password
|
||||
// Please note that in auth relay mode = none, password is NULL
|
||||
User *zmLoadUser(const char *username, const char *password) {
|
||||
int username_length = strlen(username);
|
||||
|
||||
// According to docs, size of safer_whatever must be 2*length+1
|
||||
// due to unicode conversions + null terminator.
|
||||
std::string escaped_username((username_length * 2) + 1, '\0');
|
||||
|
||||
|
||||
size_t escaped_len = mysql_real_escape_string(&dbconn, &escaped_username[0], username, username_length);
|
||||
escaped_username.resize(escaped_len);
|
||||
std::string escaped_username = zmDbEscapeString(username);
|
||||
|
||||
std::string sql = stringtf("SELECT `Id`, `Username`, `Password`, `Enabled`,"
|
||||
" `Stream`+0, `Events`+0, `Control`+0, `Monitors`+0, `System`+0,"
|
||||
|
|
|
|||
Loading…
Reference in New Issue