db: Add helper for escaping strings and use it
This commit is contained in:
parent
0edc91ffca
commit
cf9c47149f
|
@ -267,3 +267,15 @@ void zmDbQueue::push(std::string &&sql) {
|
||||||
mQueue.push(std::move(sql));
|
mQueue.push(std::move(sql));
|
||||||
mCondition.notify_all();
|
mCondition.notify_all();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
std::string zmDbEscapeString(const std::string& to_escape) {
|
||||||
|
// According to docs, size of safer_whatever must be 2 * length + 1
|
||||||
|
// due to unicode conversions + null terminator.
|
||||||
|
std::string escaped((to_escape.length() * 2) + 1, '\0');
|
||||||
|
|
||||||
|
|
||||||
|
size_t escaped_len = mysql_real_escape_string(&dbconn, &escaped[0], to_escape.c_str(), to_escape.length());
|
||||||
|
escaped.resize(escaped_len);
|
||||||
|
|
||||||
|
return escaped;
|
||||||
|
}
|
||||||
|
|
|
@ -78,4 +78,6 @@ int zmDbDoUpdate(const char *query);
|
||||||
MYSQL_RES * zmDbFetch(const char *query);
|
MYSQL_RES * zmDbFetch(const char *query);
|
||||||
zmDbRow *zmDbFetchOne(const char *query);
|
zmDbRow *zmDbFetchOne(const char *query);
|
||||||
|
|
||||||
|
std::string zmDbEscapeString(const std::string& to_escape);
|
||||||
|
|
||||||
#endif // ZM_DB_H
|
#endif // ZM_DB_H
|
||||||
|
|
|
@ -402,12 +402,9 @@ void Event::updateNotes(const StringSetMap &newNoteSetMap) {
|
||||||
Error("Unable to execute sql '%s': %s", sql, mysql_stmt_error(stmt));
|
Error("Unable to execute sql '%s': %s", sql, mysql_stmt_error(stmt));
|
||||||
}
|
}
|
||||||
#else
|
#else
|
||||||
char sql[ZM_SQL_LGE_BUFSIZ];
|
std::string escaped_notes = zmDbEscapeString(notes);
|
||||||
static char escapedNotes[ZM_SQL_MED_BUFSIZ];
|
|
||||||
|
|
||||||
mysql_real_escape_string(&dbconn, escapedNotes, notes.c_str(), notes.length());
|
std::string sql = stringtf("UPDATE `Events` SET `Notes` = '%s' WHERE `Id` = %" PRIu64, escaped_notes.c_str(), id);
|
||||||
|
|
||||||
snprintf(sql, sizeof(sql), "UPDATE `Events` SET `Notes` = '%s' WHERE `Id` = %" PRIu64, escapedNotes, id);
|
|
||||||
dbQueue.push(std::move(sql));
|
dbQueue.push(std::move(sql));
|
||||||
#endif
|
#endif
|
||||||
} // end if update
|
} // end if update
|
||||||
|
|
|
@ -518,11 +518,7 @@ void Logger::logPrint(bool hex, const char *filepath, int line, int level, const
|
||||||
|
|
||||||
if (level <= mDatabaseLevel) {
|
if (level <= mDatabaseLevel) {
|
||||||
if (zmDbConnected) {
|
if (zmDbConnected) {
|
||||||
int syslogSize = syslogEnd - syslogStart;
|
std::string escapedString = zmDbEscapeString({syslogStart, syslogEnd});
|
||||||
std::string escapedString;
|
|
||||||
escapedString.resize((syslogSize * 2) + 1);
|
|
||||||
mysql_real_escape_string(&dbconn, &escapedString[0], syslogStart, syslogSize);
|
|
||||||
escapedString.resize(std::strlen(escapedString.c_str()));
|
|
||||||
|
|
||||||
std::string sql_string = stringtf(
|
std::string sql_string = stringtf(
|
||||||
"INSERT INTO `Logs` "
|
"INSERT INTO `Logs` "
|
||||||
|
|
|
@ -85,15 +85,7 @@ bool User::canAccess(int monitor_id) {
|
||||||
// Function to load a user from username and password
|
// Function to load a user from username and password
|
||||||
// Please note that in auth relay mode = none, password is NULL
|
// Please note that in auth relay mode = none, password is NULL
|
||||||
User *zmLoadUser(const char *username, const char *password) {
|
User *zmLoadUser(const char *username, const char *password) {
|
||||||
int username_length = strlen(username);
|
std::string escaped_username = zmDbEscapeString(username);
|
||||||
|
|
||||||
// According to docs, size of safer_whatever must be 2*length+1
|
|
||||||
// due to unicode conversions + null terminator.
|
|
||||||
std::string escaped_username((username_length * 2) + 1, '\0');
|
|
||||||
|
|
||||||
|
|
||||||
size_t escaped_len = mysql_real_escape_string(&dbconn, &escaped_username[0], username, username_length);
|
|
||||||
escaped_username.resize(escaped_len);
|
|
||||||
|
|
||||||
std::string sql = stringtf("SELECT `Id`, `Username`, `Password`, `Enabled`,"
|
std::string sql = stringtf("SELECT `Id`, `Username`, `Password`, `Enabled`,"
|
||||||
" `Stream`+0, `Events`+0, `Control`+0, `Monitors`+0, `System`+0,"
|
" `Stream`+0, `Events`+0, `Control`+0, `Monitors`+0, `System`+0,"
|
||||||
|
|
Loading…
Reference in New Issue