2021-04-17 Fred Gleason <fredg@paravelsystems.com>

* Escaped all SQL identifiers in 'lib/'. * Replaced " with ' delimiters in all SQL literal strings in 'lib/'. Signed-off-by: Fred Gleason <fredg@paravelsystems.com>
2026-01-13 16:15:51 +01:00 · 2021-04-17 19:47:05 -04:00
parent 1b7dd5cd7d
commit 0fd02861f9
104 changed files with 4807 additions and 5120 deletions
--- a/lib/rdripc.cpp
+++ b/lib/rdripc.cpp
@@ -2,7 +2,7 @@
 //
 // Connection to the Rivendell Interprocess Communication Daemon
 //
-//   (C) Copyright 2002-2019 Fred Gleason <fredg@paravelsystems.com>
+//   (C) Copyright 2002-2021 Fred Gleason <fredg@paravelsystems.com>
 //
 //   This program is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU General Public License version 2 as
@@ -18,13 +18,6 @@
 //   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
 //

-#include <ctype.h>
-#include <syslog.h>
-
-#include <qobject.h>
-#include <qapplication.h>
-#include <qdatetime.h>
-
 #include "rdapplication.h"
 #include "rddatedecode.h"
 #include "rddb.h"
@@ -173,8 +166,11 @@ void RDRipc::sendRml(RDMacro *macro)
    port=macro->port();
  }
  QString rmlline=macro->toString();
-  QString sql=QString("select NAME,VARVALUE from HOSTVARS where ")+
-    "STATION_NAME=\""+RDEscapeString(ripc_station->name())+"\"";
+  QString sql=QString("select ")+
+    "`NAME`,"+      // 00
+    "`VARVALUE` "+  // 01
+    "from `HOSTVARS` where "+
+    "`STATION_NAME`='"+RDEscapeString(ripc_station->name())+"'";
  RDSqlQuery *q=new RDSqlQuery(sql);
  while(q->next()) {
    rmlline.replace(q->value(0).toString(),q->value(1).toString());