db: Add helper for escaping strings and use it

This commit is contained in:
Peter Keresztes Schmidt 2021-06-29 11:18:57 +02:00
parent 0edc91ffca
commit cf9c47149f
5 changed files with 18 additions and 19 deletions

View File

@ -267,3 +267,15 @@ void zmDbQueue::push(std::string &&sql) {
mQueue.push(std::move(sql)); mQueue.push(std::move(sql));
mCondition.notify_all(); mCondition.notify_all();
} }
std::string zmDbEscapeString(const std::string& to_escape) {
// According to docs, size of safer_whatever must be 2 * length + 1
// due to unicode conversions + null terminator.
std::string escaped((to_escape.length() * 2) + 1, '\0');
size_t escaped_len = mysql_real_escape_string(&dbconn, &escaped[0], to_escape.c_str(), to_escape.length());
escaped.resize(escaped_len);
return escaped;
}

View File

@ -78,4 +78,6 @@ int zmDbDoUpdate(const char *query);
MYSQL_RES * zmDbFetch(const char *query); MYSQL_RES * zmDbFetch(const char *query);
zmDbRow *zmDbFetchOne(const char *query); zmDbRow *zmDbFetchOne(const char *query);
std::string zmDbEscapeString(const std::string& to_escape);
#endif // ZM_DB_H #endif // ZM_DB_H

View File

@ -402,12 +402,9 @@ void Event::updateNotes(const StringSetMap &newNoteSetMap) {
Error("Unable to execute sql '%s': %s", sql, mysql_stmt_error(stmt)); Error("Unable to execute sql '%s': %s", sql, mysql_stmt_error(stmt));
} }
#else #else
char sql[ZM_SQL_LGE_BUFSIZ]; std::string escaped_notes = zmDbEscapeString(notes);
static char escapedNotes[ZM_SQL_MED_BUFSIZ];
mysql_real_escape_string(&dbconn, escapedNotes, notes.c_str(), notes.length()); std::string sql = stringtf("UPDATE `Events` SET `Notes` = '%s' WHERE `Id` = %" PRIu64, escaped_notes.c_str(), id);
snprintf(sql, sizeof(sql), "UPDATE `Events` SET `Notes` = '%s' WHERE `Id` = %" PRIu64, escapedNotes, id);
dbQueue.push(std::move(sql)); dbQueue.push(std::move(sql));
#endif #endif
} // end if update } // end if update

View File

@ -518,11 +518,7 @@ void Logger::logPrint(bool hex, const char *filepath, int line, int level, const
if (level <= mDatabaseLevel) { if (level <= mDatabaseLevel) {
if (zmDbConnected) { if (zmDbConnected) {
int syslogSize = syslogEnd - syslogStart; std::string escapedString = zmDbEscapeString({syslogStart, syslogEnd});
std::string escapedString;
escapedString.resize((syslogSize * 2) + 1);
mysql_real_escape_string(&dbconn, &escapedString[0], syslogStart, syslogSize);
escapedString.resize(std::strlen(escapedString.c_str()));
std::string sql_string = stringtf( std::string sql_string = stringtf(
"INSERT INTO `Logs` " "INSERT INTO `Logs` "

View File

@ -85,15 +85,7 @@ bool User::canAccess(int monitor_id) {
// Function to load a user from username and password // Function to load a user from username and password
// Please note that in auth relay mode = none, password is NULL // Please note that in auth relay mode = none, password is NULL
User *zmLoadUser(const char *username, const char *password) { User *zmLoadUser(const char *username, const char *password) {
int username_length = strlen(username); std::string escaped_username = zmDbEscapeString(username);
// According to docs, size of safer_whatever must be 2*length+1
// due to unicode conversions + null terminator.
std::string escaped_username((username_length * 2) + 1, '\0');
size_t escaped_len = mysql_real_escape_string(&dbconn, &escaped_username[0], username, username_length);
escaped_username.resize(escaped_len);
std::string sql = stringtf("SELECT `Id`, `Username`, `Password`, `Enabled`," std::string sql = stringtf("SELECT `Id`, `Username`, `Password`, `Enabled`,"
" `Stream`+0, `Events`+0, `Control`+0, `Monitors`+0, `System`+0," " `Stream`+0, `Events`+0, `Control`+0, `Monitors`+0, `System`+0,"