mirror of
https://github.com/ElvishArtisan/rivendell.git
synced 2025-05-19 06:32:34 +02:00
2021-04-23 Fred Gleason <fredg@paravelsystems.com>
* Escaped all SQL identifiers in 'web/rdxport/'. * Replaced " with ' delimiters in all SQL literal strings in 'web/rdxport/'. Signed-off-by: Fred Gleason <fredg@paravelsystems.com>
This commit is contained in:
Fred Gleason
parent
ac82d7356a
commit
703299899c
@ -21587,3 +21587,7 @@
|
||||
* Escaped all SQL identifiers in 'utils/rdmarkerset/'.
|
||||
* Replaced " with ' delimiters in all SQL literal strings in
|
||||
'utils/rdmarkerset/'.
|
||||
2021-04-23 Fred Gleason <fredg@paravelsystems.com>
|
||||
* Escaped all SQL identifiers in 'web/rdxport/'.
|
||||
* Replaced " with ' delimiters in all SQL literal strings in
|
||||
'web/rdxport/'.
|
||||
|
||||
@ -151,9 +151,9 @@ void Xport::ListCarts()
|
||||
where=RDAllCartSearchText(filter,"",rda->user()->name(),false);
|
||||
}
|
||||
else {
|
||||
sql=QString("select GROUP_NAME from USER_PERMS where ")+
|
||||
"(GROUP_NAME=\""+RDEscapeString(group_name)+"\")&&"+
|
||||
"(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")";
|
||||
sql=QString("select `GROUP_NAME` from `USER_PERMS` where ")+
|
||||
"(`GROUP_NAME`='"+RDEscapeString(group_name)+"')&&"+
|
||||
"(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')";
|
||||
q=new RDSqlQuery(sql);
|
||||
if(!q->first()) {
|
||||
delete q;
|
||||
@ -162,9 +162,9 @@ void Xport::ListCarts()
|
||||
where=RDCartSearchText(filter,group_name,"",false);
|
||||
}
|
||||
if(cart_type!=RDCart::All) {
|
||||
where+=QString().sprintf("&&(TYPE=%u)",cart_type);
|
||||
where+=QString().sprintf("&&(`TYPE`=%u)",cart_type);
|
||||
}
|
||||
sql=RDCart::xmlSql(include_cuts)+where+" order by CART.NUMBER";
|
||||
sql=RDCart::xmlSql(include_cuts)+where+" order by `CART`.`NUMBER`";
|
||||
q=new RDSqlQuery(sql);
|
||||
|
||||
//
|
||||
@ -529,7 +529,7 @@ void Xport::ListCuts()
|
||||
// Process Request
|
||||
//
|
||||
sql=RDCart::xmlSql(true)+
|
||||
QString().sprintf(" where CART.NUMBER=%u",cart_number);
|
||||
QString().sprintf(" where `CART`.`NUMBER`=%u",cart_number);
|
||||
q=new RDSqlQuery(sql);
|
||||
printf("Content-type: application/xml\n");
|
||||
printf("Status: 200\n\n");
|
||||
|
||||
@ -60,8 +60,8 @@ void Xport::DeleteAudio()
|
||||
}
|
||||
unlink(RDCut::pathName(cartnum,cutnum).toUtf8());
|
||||
unlink((RDCut::pathName(cartnum,cutnum)+".energy").toUtf8());
|
||||
QString sql=QString("delete from CUT_EVENTS where ")+
|
||||
"CUT_NAME=\""+RDCut::cutName(cartnum,cutnum)+"\"";
|
||||
QString sql=QString("delete from `CUT_EVENTS` where ")+
|
||||
"`CUT_NAME`='"+RDCut::cutName(cartnum,cutnum)+"'";
|
||||
RDSqlQuery *q=new RDSqlQuery(sql);
|
||||
delete q;
|
||||
SendNotification(RDNotification::CartType,RDNotification::ModifyAction,
|
||||
|
||||
@ -44,9 +44,9 @@ void Xport::ListGroups()
|
||||
// Generate Group List
|
||||
//
|
||||
sql=QString("select ")+
|
||||
"GROUP_NAME from USER_PERMS where "+
|
||||
"USER_NAME=\""+RDEscapeString(rda->user()->name())+"\" "+
|
||||
"order by GROUP_NAME";
|
||||
"`GROUP_NAME` from `USER_PERMS` where "+
|
||||
"`USER_NAME`='"+RDEscapeString(rda->user()->name())+"' "+
|
||||
"order by `GROUP_NAME`";
|
||||
q=new RDSqlQuery(sql);
|
||||
|
||||
//
|
||||
@ -86,9 +86,9 @@ void Xport::ListGroup()
|
||||
// Check Group Accessibility
|
||||
//
|
||||
sql=QString("select ")+
|
||||
"GROUP_NAME from USER_PERMS where "+
|
||||
"(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")&&"+
|
||||
"(GROUP_NAME=\""+RDEscapeString(group_name)+"\")";
|
||||
"`GROUP_NAME` from `USER_PERMS` where "+
|
||||
"(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')&&"+
|
||||
"(`GROUP_NAME`='"+RDEscapeString(group_name)+"')";
|
||||
q=new RDSqlQuery(sql);
|
||||
if(!q->first()) {
|
||||
delete q;
|
||||
|
||||
@ -132,38 +132,38 @@ void Xport::ListLogs()
|
||||
//
|
||||
// Generate Log List
|
||||
//
|
||||
sql="select NAME from LOGS";
|
||||
sql="select `NAME` from `LOGS`";
|
||||
sql+=" where";
|
||||
if(!log_name.isEmpty()) {
|
||||
sql+=" (NAME=\""+RDEscapeString(log_name)+"\")&&";
|
||||
sql+=" (`NAME`='"+RDEscapeString(log_name)+"')&&";
|
||||
}
|
||||
if(service_name.isEmpty()) {
|
||||
QString sql2=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
|
||||
"USER_NAME=\""+RDEscapeString(rda->user()->name())+"\"";
|
||||
QString sql2=QString("select `SERVICE_NAME` from `USER_SERVICE_PERMS` where ")+
|
||||
"`USER_NAME`='"+RDEscapeString(rda->user()->name())+"'";
|
||||
q=new RDSqlQuery(sql2);
|
||||
sql+="(";
|
||||
while(q->next()) {
|
||||
sql+="(SERVICE=\""+RDEscapeString(q->value(0).toString())+"\")||";
|
||||
sql+="(`SERVICE`='"+RDEscapeString(q->value(0).toString())+"')||";
|
||||
}
|
||||
sql=sql.left(sql.length()-2);
|
||||
sql+=")&&";
|
||||
delete q;
|
||||
}
|
||||
else {
|
||||
sql+=" (SERVICE=\""+RDEscapeString(service_name)+"\")&&";
|
||||
sql+=" (`SERVICE`='"+RDEscapeString(service_name)+"')&&";
|
||||
}
|
||||
if(trackable=="1") {
|
||||
sql+=" (SCHEDULED_TRACKS>0)&&";
|
||||
sql+=" (`SCHEDULED_TRACKS`>0)&&";
|
||||
}
|
||||
if(!filter.isEmpty()) {
|
||||
if(service_name.isEmpty()) {
|
||||
sql+=" ((LOGS.NAME like \"%%"+RDEscapeString(filter)+"%%\")||";
|
||||
sql+="(LOGS.DESCRIPTION like \"%%"+RDEscapeString(filter)+"%%\")||";
|
||||
sql+="(LOGS.SERVICE like \"%%"+RDEscapeString(filter)+"%%\"))&&";
|
||||
sql+=" ((`LOGS`.`NAME` like '%%"+RDEscapeString(filter)+"%%')||";
|
||||
sql+="(`LOGS`.`DESCRIPTION` like '%%"+RDEscapeString(filter)+"%%')||";
|
||||
sql+="(`LOGS`.`SERVICE` like '%%"+RDEscapeString(filter)+"%%'))&&";
|
||||
}
|
||||
else {
|
||||
sql+=" ((LOGS.NAME like \"%%"+RDEscapeString(filter)+"%%\")||";
|
||||
sql+="(LOGS.DESCRIPTION like \"%%"+RDEscapeString(filter)+"%%\"))&&";
|
||||
sql+=" ((`LOGS`.`NAME` like '%%"+RDEscapeString(filter)+"%%')||";
|
||||
sql+="(`LOGS`.`DESCRIPTION` like '%%"+RDEscapeString(filter)+"%%'))&&";
|
||||
}
|
||||
}
|
||||
sql=sql.trimmed();
|
||||
@ -175,11 +175,11 @@ void Xport::ListLogs()
|
||||
sql=sql.left(sql.length()-5);
|
||||
}
|
||||
if(recent=="1") {
|
||||
sql+=QString().sprintf(" order by LOGS.ORIGIN_DATETIME desc limit %d",
|
||||
sql+=QString().sprintf(" order by `LOGS`.`ORIGIN_DATETIME` desc limit %d",
|
||||
RD_LOGFILTER_LIMIT_QUAN);
|
||||
}
|
||||
else {
|
||||
sql+=" order by NAME";
|
||||
sql+=" order by `NAME`";
|
||||
}
|
||||
q=new RDSqlQuery(sql);
|
||||
|
||||
@ -631,9 +631,10 @@ void Xport::LockLog()
|
||||
|
||||
RDSvc *Xport::GetLogService(const QString &svc_name)
|
||||
{
|
||||
QString sql=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
|
||||
"(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")&&"+
|
||||
"(SERVICE_NAME=\""+RDEscapeString(svc_name)+"\")";
|
||||
QString sql=QString("select `SERVICE_NAME` ")+
|
||||
"from `USER_SERVICE_PERMS` where "+
|
||||
"(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')&&"+
|
||||
"(`SERVICE_NAME`='"+RDEscapeString(svc_name)+"')";
|
||||
RDSqlQuery *q=new RDSqlQuery(sql);
|
||||
if(!q->first()) {
|
||||
XmlExit("No such service",404,"logs.cpp",LINE_NUMBER);
|
||||
@ -652,9 +653,10 @@ bool Xport::ServiceUserValid(const QString &svc_name)
|
||||
{
|
||||
bool ret=false;
|
||||
|
||||
QString sql=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
|
||||
"(SERVICE_NAME=\""+RDEscapeString(svc_name)+"\")&&"+
|
||||
"(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")";
|
||||
QString sql=QString("select `SERVICE_NAME` ")+
|
||||
"from `USER_SERVICE_PERMS` where "+
|
||||
"(`SERVICE_NAME`='"+RDEscapeString(svc_name)+"')&&"+
|
||||
"(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')";
|
||||
RDSqlQuery *q=new RDSqlQuery(sql);
|
||||
ret=q->first();
|
||||
delete q;
|
||||
|
||||
@ -556,9 +556,9 @@ void Xport::PostImage()
|
||||
XmlExit("Missing ID",400,"podcasts.cpp",LINE_NUMBER);
|
||||
}
|
||||
sql=QString("select ")+
|
||||
"FEED_ID,"+ // 00
|
||||
"DATA,"+ // 01
|
||||
"FILE_EXTENSION "+ // 02
|
||||
"`FEED_ID`,"+ // 00
|
||||
"`DATA`,"+ // 01
|
||||
"`FILE_EXTENSION` "+ // 02
|
||||
"from FEED_IMAGES where "+
|
||||
QString().sprintf("ID=%d",img_id);
|
||||
q=new RDSqlQuery(sql);
|
||||
@ -668,10 +668,10 @@ void Xport::RemoveImage()
|
||||
XmlExit("Missing ID",400,"podcasts.cpp",LINE_NUMBER);
|
||||
}
|
||||
sql=QString("select ")+
|
||||
"FEED_ID,"+ // 00
|
||||
"FILE_EXTENSION "+ // 01
|
||||
"from FEED_IMAGES where "+
|
||||
QString().sprintf("ID=%d",img_id);
|
||||
"`FEED_ID`,"+ // 00
|
||||
"`FILE_EXTENSION` "+ // 01
|
||||
"from `FEED_IMAGES` where "+
|
||||
QString().sprintf("`ID`=%d",img_id);
|
||||
q=new RDSqlQuery(sql);
|
||||
if(q->first()) {
|
||||
feed_id=q->value(0).toUInt();
|
||||
|
||||
@ -34,7 +34,7 @@ void Xport::ListSchedCodes()
|
||||
//
|
||||
// Generate Scheduler Code List
|
||||
//
|
||||
sql=QString("select CODE from SCHED_CODES order by CODE");
|
||||
sql=QString("select `CODE` from `SCHED_CODES` order by `CODE`");
|
||||
q=new RDSqlQuery(sql);
|
||||
|
||||
//
|
||||
|
||||
@ -51,22 +51,22 @@ void Xport::ListServices()
|
||||
//
|
||||
// Generate Service List
|
||||
//
|
||||
sql=QString("select NAME from SERVICES where ");
|
||||
sql2=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
|
||||
"USER_NAME=\""+RDEscapeString(rda->user()->name())+"\"";
|
||||
sql=QString("select `NAME` from `SERVICES` where ");
|
||||
sql2=QString("select `SERVICE_NAME` from `USER_SERVICE_PERMS` where ")+
|
||||
"`USER_NAME`='"+RDEscapeString(rda->user()->name())+"'";
|
||||
q=new RDSqlQuery(sql2);
|
||||
sql+="(";
|
||||
while(q->next()) {
|
||||
sql+="(NAME=\""+RDEscapeString(q->value(0).toString())+"\")||";
|
||||
sql+="(`NAME`='"+RDEscapeString(q->value(0).toString())+"')||";
|
||||
}
|
||||
sql=sql.left(sql.length()-2);
|
||||
sql+=")";
|
||||
delete q;
|
||||
|
||||
if(trackable=="1") {
|
||||
sql+="&&(TRACK_GROUP!=\"\")&&(TRACK_GROUP is not null)";
|
||||
sql+="&&(`TRACK_GROUP`!='')&&(`TRACK_GROUP` is not null)";
|
||||
}
|
||||
sql+=" order by NAME";
|
||||
sql+=" order by `NAME`";
|
||||
q=new RDSqlQuery(sql);
|
||||
|
||||
//
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user