From 1fffb2ef9eb6f93912cf0f01fa42d4f21b14248e Mon Sep 17 00:00:00 2001 From: Fred Gleason Date: Tue, 20 Apr 2021 08:14:35 -0400 Subject: [PATCH] 2021-04-20 Fred Gleason * Escaped all SQL identifiers in 'rdpadengined/'. * Replaced " with ' delimiters in all SQL literal strings in 'rdpadengined/'. Signed-off-by: Fred Gleason --- ChangeLog | 4 +++ rdpadengined/rdpadengined.cpp | 46 +++++++++++++++++------------------ 2 files changed, 27 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index fb7e6a4d..b6d1ff9d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21519,3 +21519,7 @@ * Escaped all SQL identifiers in 'rdlogmanager/'. * Replaced " with ' delimiters in all SQL literal strings in 'rdlogmanager/'. +2021-04-20 Fred Gleason + * Escaped all SQL identifiers in 'rdpadengined/'. + * Replaced " with ' delimiters in all SQL literal strings in + 'rdpadengined/'. diff --git a/rdpadengined/rdpadengined.cpp b/rdpadengined/rdpadengined.cpp index 6c8cb78f..95b4e77c 100644 --- a/rdpadengined/rdpadengined.cpp +++ b/rdpadengined/rdpadengined.cpp @@ -118,20 +118,20 @@ void MainObject::ripcConnectedData(bool state) // // Clear DB Records // - sql=QString("update PYPAD_INSTANCES set ")+ - "IS_RUNNING=\"N\","+ - "EXIT_CODE=0,"+ - "ERROR_TEXT=null "+ - "where STATION_NAME=\""+RDEscapeString(rda->station()->name())+"\""; + sql=QString("update `PYPAD_INSTANCES` set ")+ + "`IS_RUNNING`='N',"+ + "`EXIT_CODE`=0,"+ + "`ERROR_TEXT`=null "+ + "where `STATION_NAME`='"+RDEscapeString(rda->station()->name())+"'"; RDSqlQuery::apply(sql); // // Start Scripts // sql=QString("select ")+ - "ID " // 00 - "from PYPAD_INSTANCES where "+ - "STATION_NAME=\""+RDEscapeString(rda->station()->name())+"\""; + "`ID` " // 00 + "from `PYPAD_INSTANCES` where "+ + "`STATION_NAME`='"+RDEscapeString(rda->station()->name())+"'"; q=new RDSqlQuery(sql); while(q->next()) { StartScript(q->value(0).toUInt()); @@ -149,9 +149,9 @@ void MainObject::notificationReceivedData(RDNotification *notify) int id=notify->id().toUInt(); switch(notify->action()) { case RDNotification::AddAction: - sql=QString("select ID from PYPAD_INSTANCES where ")+ - QString().sprintf("ID=%u && ",id)+ - "STATION_NAME=\""+RDEscapeString(rda->station()->name())+"\""; + sql=QString("select `ID` from `PYPAD_INSTANCES` where ")+ + QString().sprintf("`ID`=%u && ",id)+ + "STATION_NAME='"+RDEscapeString(rda->station()->name())+"'"; q=new RDSqlQuery(sql); if(q->first()) { StartScript(id); @@ -233,9 +233,9 @@ void MainObject::exitData() // // Update Database // - QString sql=QString("update PYPAD_INSTANCES set ")+ - "IS_RUNNING=\"N\" where "+ - "STATION_NAME=\""+RDEscapeString(rda->station()->name())+"\""; + QString sql=QString("update `PYPAD_INSTANCES` set ")+ + "`IS_RUNNING`='N' where "+ + "`STATION_NAME`='"+RDEscapeString(rda->station()->name())+"'"; RDSqlQuery::apply(sql); exit(0); } @@ -256,9 +256,9 @@ bool MainObject::ScriptIsActive(unsigned id) const void MainObject::StartScript(unsigned id) { - QString sql=QString("select SCRIPT_PATH from PYPAD_INSTANCES where ")+ - QString().sprintf("ID=%u && ",id)+ - "STATION_NAME=\""+RDEscapeString(rda->station()->name())+"\""; + QString sql=QString("select `SCRIPT_PATH` from `PYPAD_INSTANCES` where ")+ + QString().sprintf("`ID`=%u && ",id)+ + "`STATION_NAME`='"+RDEscapeString(rda->station()->name())+"'"; RDSqlQuery *q=new RDSqlQuery(sql); if(q->first()) { RDProcess *proc=new RDProcess(id,this); @@ -287,16 +287,16 @@ void MainObject::KillScript(unsigned id) void MainObject::SetRunStatus(unsigned id,bool state,int exit_code, const QString &err_text) const { - QString sql=QString("update PYPAD_INSTANCES set ")+ - "IS_RUNNING=\""+RDYesNo(state)+"\","+ - QString().sprintf("EXIT_CODE=%u,",exit_code); + QString sql=QString("update `PYPAD_INSTANCES` set ")+ + "`IS_RUNNING`='"+RDYesNo(state)+"',"+ + QString().sprintf("`EXIT_CODE`=%u,",exit_code); if(err_text.isNull()) { - sql+="ERROR_TEXT=null "; + sql+="`ERROR_TEXT`=null "; } else { - sql+="ERROR_TEXT=\""+RDEscapeString(err_text)+"\" "; + sql+="`ERROR_TEXT`='"+RDEscapeString(err_text)+"' "; } - sql+=QString().sprintf("where ID=%u",id); + sql+=QString().sprintf("where `ID`=%u",id); RDSqlQuery::apply(sql); }