From 5d32b1b6df6d98ba3a26daac04fada5e3a64f262 Mon Sep 17 00:00:00 2001 From: Fred Gleason Date: Fri, 23 Apr 2021 14:25:09 -0400 Subject: [PATCH] 2021-04-23 Fred Gleason * Escaped all SQL identifiers in 'web/webget/'. * Replaced " with ' delimiters in all SQL literal strings in 'web/webget/'. Signed-off-by: Fred Gleason --- ChangeLog | 4 ++++ web/webget/webget.cpp | 44 +++++++++++++++++++++---------------------- 2 files changed, 26 insertions(+), 22 deletions(-) diff --git a/ChangeLog b/ChangeLog index ff915777..5f992cbd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21591,3 +21591,7 @@ * Escaped all SQL identifiers in 'web/rdxport/'. * Replaced " with ' delimiters in all SQL literal strings in 'web/rdxport/'. +2021-04-23 Fred Gleason + * Escaped all SQL identifiers in 'web/webget/'. + * Replaced " with ' delimiters in all SQL literal strings in + 'web/webget/'. diff --git a/web/webget/webget.cpp b/web/webget/webget.cpp index ba64807b..3b665685 100644 --- a/web/webget/webget.cpp +++ b/web/webget/webget.cpp @@ -189,11 +189,11 @@ void MainObject::GetAudio() unsigned cartnum=0; int cutnum=0; QString sql=QString("select ")+ - "CUTS.CUT_NAME from "+ - "CART left join CUTS on CART.NUMBER=CUTS.CART_NUMBER where "+ - "CART.TITLE=\""+RDEscapeString(title)+"\" && "+ - QString().sprintf("CART.TYPE=%d ",RDCart::Audio)+ - "order by CUTS.CUT_NAME"; + "`CUTS`.`CUT_NAME` from "+ + "`CART` left join `CUTS` on `CART`.`NUMBER`=`CUTS`.`CART_NUMBER` where "+ + "`CART`.`TITLE`='"+RDEscapeString(title)+"' && "+ + QString().sprintf("`CART`.`TYPE`=%d ",RDCart::Audio)+ + "order by `CUTS`.`CUT_NAME`"; RDSqlQuery *q=new RDSqlQuery(sql); if(q->first()) { cartnum=RDCut::cartNumber(q->value(0).toString()); @@ -434,9 +434,9 @@ void MainObject::PutAudio() if((!rda->system()->allowDuplicateCartTitles())&& (!rda->system()->fixDuplicateCartTitles())) { sql=QString("select ")+ - "NUMBER "+ // 00 - "from CART where "+ - "TITLE=\""+RDEscapeString(title)+"\""; + "`NUMBER` "+ // 00 + "from `CART` where "+ + "`TITLE`='"+RDEscapeString(title)+"'"; q=new RDSqlQuery(sql); if(q->first()) { QString body; @@ -554,9 +554,9 @@ void MainObject::ServeForm() printf(" var preset_ids=new Array();\n"); printf(" var preset_exts=new Array();\n"); sql=QString("select ")+ - "ID,"+ // 00 - "FORMAT "+ // 01 - "from ENCODER_PRESETS order by ID"; + "`ID`,"+ // 00 + "`FORMAT` "+ // 01 + "from `ENCODER_PRESETS` order by `ID`"; int count=0; q=new RDSqlQuery(sql); while(q->next()) { @@ -598,9 +598,9 @@ void MainObject::ServeForm() printf(" \n"); printf(" \n"); sql=QString("select ")+ - "GROUPS.NAME "+ // 00 - "from GROUPS left join USER_PERMS "+ - "on GROUPS.NAME=USER_PERMS.GROUP_NAME where "+ - "USER_PERMS.USER_NAME=\""+RDEscapeString(rda->user()->name())+"\" && "+ - QString().sprintf("GROUPS.DEFAULT_CART_TYPE=%u && ",RDCart::Audio)+ - "GROUPS.DEFAULT_LOW_CART>0 && "+ - "GROUPS.DEFAULT_HIGH_CART>0 "+ - "order by GROUPS.NAME"; + "`GROUPS`.`NAME` "+ // 00 + "from `GROUPS` left join `USER_PERMS` "+ + "on `GROUPS`.`NAME`=`USER_PERMS`.`GROUP_NAME` where "+ + "`USER_PERMS`.`USER_NAME`='"+RDEscapeString(rda->user()->name())+"' && "+ + QString().sprintf("`GROUPS`.`DEFAULT_CART_TYPE`=%u && ",RDCart::Audio)+ + "`GROUPS`.`DEFAULT_LOW_CART`>0 && "+ + "`GROUPS`.`DEFAULT_HIGH_CART`>0 "+ + "order by `GROUPS.NAME`"; q=new RDSqlQuery(sql); while(q->next()) { printf(" \n",