2021-04-19 Fred Gleason <fredg@paravelsystems.com>

* Escaped all SQL identifiers in 'rdcatchd/'.
	* Replaced " with ' delimiters in all SQL literal strings in
	'rdcatchd/'.

Signed-off-by: Fred Gleason <fredg@paravelsystems.com>
This commit is contained in:
Fred Gleason
2021-04-19 19:51:47 -04:00
parent 5f2dc2a7a1
commit 220ead0ccd
5 changed files with 183 additions and 188 deletions

View File

@@ -45,10 +45,10 @@ void EventPlayer::load(const QString &cutname)
// Load Deck Events
//
event_deck_events.clear();
sql=QString("select CART_NUMBER from DECK_EVENTS where ")+
"(STATION_NAME=\""+RDEscapeString(event_station->name())+"\")&&"+
QString().sprintf("(CHANNEL=%d) ",event_channel)+
"order by NUMBER";
sql=QString("select `CART_NUMBER` from `DECK_EVENTS` where ")+
"(`STATION_NAME`='"+RDEscapeString(event_station->name())+"')&&"+
QString().sprintf("(`CHANNEL`=%d) ",event_channel)+
"order by `NUMBER`";
q=new RDSqlQuery(sql);
while(q->next()) {
event_deck_events.push_back(q->value(0).toUInt());
@@ -62,8 +62,8 @@ void EventPlayer::load(const QString &cutname)
event_numbers.clear();
event_points.clear();
event_current_event=-1;
sql=QString("select NUMBER,POINT from CUT_EVENTS where ")+
"CUT_NAME=\""+cutname+"\" "+
sql=QString("select `NUMBER`,`POINT` from `CUT_EVENTS` where ")+
"`CUT_NAME`='"+RDEscapeString(cutname)+"' "+
"order by POINT";
q=new RDSqlQuery(sql);
while(q->next()) {