diff --git a/ChangeLog b/ChangeLog index 0a9e77c9..ff915777 100644 --- a/ChangeLog +++ b/ChangeLog @@ -21587,3 +21587,7 @@ * Escaped all SQL identifiers in 'utils/rdmarkerset/'. * Replaced " with ' delimiters in all SQL literal strings in 'utils/rdmarkerset/'. +2021-04-23 Fred Gleason + * Escaped all SQL identifiers in 'web/rdxport/'. + * Replaced " with ' delimiters in all SQL literal strings in + 'web/rdxport/'. diff --git a/web/rdxport/carts.cpp b/web/rdxport/carts.cpp index 89e20f4e..233dc6fb 100644 --- a/web/rdxport/carts.cpp +++ b/web/rdxport/carts.cpp @@ -151,9 +151,9 @@ void Xport::ListCarts() where=RDAllCartSearchText(filter,"",rda->user()->name(),false); } else { - sql=QString("select GROUP_NAME from USER_PERMS where ")+ - "(GROUP_NAME=\""+RDEscapeString(group_name)+"\")&&"+ - "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")"; + sql=QString("select `GROUP_NAME` from `USER_PERMS` where ")+ + "(`GROUP_NAME`='"+RDEscapeString(group_name)+"')&&"+ + "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')"; q=new RDSqlQuery(sql); if(!q->first()) { delete q; @@ -162,9 +162,9 @@ void Xport::ListCarts() where=RDCartSearchText(filter,group_name,"",false); } if(cart_type!=RDCart::All) { - where+=QString().sprintf("&&(TYPE=%u)",cart_type); + where+=QString().sprintf("&&(`TYPE`=%u)",cart_type); } - sql=RDCart::xmlSql(include_cuts)+where+" order by CART.NUMBER"; + sql=RDCart::xmlSql(include_cuts)+where+" order by `CART`.`NUMBER`"; q=new RDSqlQuery(sql); // @@ -529,7 +529,7 @@ void Xport::ListCuts() // Process Request // sql=RDCart::xmlSql(true)+ - QString().sprintf(" where CART.NUMBER=%u",cart_number); + QString().sprintf(" where `CART`.`NUMBER`=%u",cart_number); q=new RDSqlQuery(sql); printf("Content-type: application/xml\n"); printf("Status: 200\n\n"); diff --git a/web/rdxport/deleteaudio.cpp b/web/rdxport/deleteaudio.cpp index 13de2766..aed12884 100644 --- a/web/rdxport/deleteaudio.cpp +++ b/web/rdxport/deleteaudio.cpp @@ -60,8 +60,8 @@ void Xport::DeleteAudio() } unlink(RDCut::pathName(cartnum,cutnum).toUtf8()); unlink((RDCut::pathName(cartnum,cutnum)+".energy").toUtf8()); - QString sql=QString("delete from CUT_EVENTS where ")+ - "CUT_NAME=\""+RDCut::cutName(cartnum,cutnum)+"\""; + QString sql=QString("delete from `CUT_EVENTS` where ")+ + "`CUT_NAME`='"+RDCut::cutName(cartnum,cutnum)+"'"; RDSqlQuery *q=new RDSqlQuery(sql); delete q; SendNotification(RDNotification::CartType,RDNotification::ModifyAction, diff --git a/web/rdxport/groups.cpp b/web/rdxport/groups.cpp index ef75af07..4b44e058 100644 --- a/web/rdxport/groups.cpp +++ b/web/rdxport/groups.cpp @@ -44,9 +44,9 @@ void Xport::ListGroups() // Generate Group List // sql=QString("select ")+ - "GROUP_NAME from USER_PERMS where "+ - "USER_NAME=\""+RDEscapeString(rda->user()->name())+"\" "+ - "order by GROUP_NAME"; + "`GROUP_NAME` from `USER_PERMS` where "+ + "`USER_NAME`='"+RDEscapeString(rda->user()->name())+"' "+ + "order by `GROUP_NAME`"; q=new RDSqlQuery(sql); // @@ -86,9 +86,9 @@ void Xport::ListGroup() // Check Group Accessibility // sql=QString("select ")+ - "GROUP_NAME from USER_PERMS where "+ - "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")&&"+ - "(GROUP_NAME=\""+RDEscapeString(group_name)+"\")"; + "`GROUP_NAME` from `USER_PERMS` where "+ + "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')&&"+ + "(`GROUP_NAME`='"+RDEscapeString(group_name)+"')"; q=new RDSqlQuery(sql); if(!q->first()) { delete q; diff --git a/web/rdxport/logs.cpp b/web/rdxport/logs.cpp index 5ff844b6..02b294ef 100644 --- a/web/rdxport/logs.cpp +++ b/web/rdxport/logs.cpp @@ -132,38 +132,38 @@ void Xport::ListLogs() // // Generate Log List // - sql="select NAME from LOGS"; + sql="select `NAME` from `LOGS`"; sql+=" where"; if(!log_name.isEmpty()) { - sql+=" (NAME=\""+RDEscapeString(log_name)+"\")&&"; + sql+=" (`NAME`='"+RDEscapeString(log_name)+"')&&"; } if(service_name.isEmpty()) { - QString sql2=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+ - "USER_NAME=\""+RDEscapeString(rda->user()->name())+"\""; + QString sql2=QString("select `SERVICE_NAME` from `USER_SERVICE_PERMS` where ")+ + "`USER_NAME`='"+RDEscapeString(rda->user()->name())+"'"; q=new RDSqlQuery(sql2); sql+="("; while(q->next()) { - sql+="(SERVICE=\""+RDEscapeString(q->value(0).toString())+"\")||"; + sql+="(`SERVICE`='"+RDEscapeString(q->value(0).toString())+"')||"; } sql=sql.left(sql.length()-2); sql+=")&&"; delete q; } else { - sql+=" (SERVICE=\""+RDEscapeString(service_name)+"\")&&"; + sql+=" (`SERVICE`='"+RDEscapeString(service_name)+"')&&"; } if(trackable=="1") { - sql+=" (SCHEDULED_TRACKS>0)&&"; + sql+=" (`SCHEDULED_TRACKS`>0)&&"; } if(!filter.isEmpty()) { if(service_name.isEmpty()) { - sql+=" ((LOGS.NAME like \"%%"+RDEscapeString(filter)+"%%\")||"; - sql+="(LOGS.DESCRIPTION like \"%%"+RDEscapeString(filter)+"%%\")||"; - sql+="(LOGS.SERVICE like \"%%"+RDEscapeString(filter)+"%%\"))&&"; + sql+=" ((`LOGS`.`NAME` like '%%"+RDEscapeString(filter)+"%%')||"; + sql+="(`LOGS`.`DESCRIPTION` like '%%"+RDEscapeString(filter)+"%%')||"; + sql+="(`LOGS`.`SERVICE` like '%%"+RDEscapeString(filter)+"%%'))&&"; } else { - sql+=" ((LOGS.NAME like \"%%"+RDEscapeString(filter)+"%%\")||"; - sql+="(LOGS.DESCRIPTION like \"%%"+RDEscapeString(filter)+"%%\"))&&"; + sql+=" ((`LOGS`.`NAME` like '%%"+RDEscapeString(filter)+"%%')||"; + sql+="(`LOGS`.`DESCRIPTION` like '%%"+RDEscapeString(filter)+"%%'))&&"; } } sql=sql.trimmed(); @@ -175,11 +175,11 @@ void Xport::ListLogs() sql=sql.left(sql.length()-5); } if(recent=="1") { - sql+=QString().sprintf(" order by LOGS.ORIGIN_DATETIME desc limit %d", + sql+=QString().sprintf(" order by `LOGS`.`ORIGIN_DATETIME` desc limit %d", RD_LOGFILTER_LIMIT_QUAN); } else { - sql+=" order by NAME"; + sql+=" order by `NAME`"; } q=new RDSqlQuery(sql); @@ -631,9 +631,10 @@ void Xport::LockLog() RDSvc *Xport::GetLogService(const QString &svc_name) { - QString sql=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+ - "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")&&"+ - "(SERVICE_NAME=\""+RDEscapeString(svc_name)+"\")"; + QString sql=QString("select `SERVICE_NAME` ")+ + "from `USER_SERVICE_PERMS` where "+ + "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')&&"+ + "(`SERVICE_NAME`='"+RDEscapeString(svc_name)+"')"; RDSqlQuery *q=new RDSqlQuery(sql); if(!q->first()) { XmlExit("No such service",404,"logs.cpp",LINE_NUMBER); @@ -652,9 +653,10 @@ bool Xport::ServiceUserValid(const QString &svc_name) { bool ret=false; - QString sql=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+ - "(SERVICE_NAME=\""+RDEscapeString(svc_name)+"\")&&"+ - "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")"; + QString sql=QString("select `SERVICE_NAME` ")+ + "from `USER_SERVICE_PERMS` where "+ + "(`SERVICE_NAME`='"+RDEscapeString(svc_name)+"')&&"+ + "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')"; RDSqlQuery *q=new RDSqlQuery(sql); ret=q->first(); delete q; diff --git a/web/rdxport/podcasts.cpp b/web/rdxport/podcasts.cpp index c35921d6..6128a866 100644 --- a/web/rdxport/podcasts.cpp +++ b/web/rdxport/podcasts.cpp @@ -556,9 +556,9 @@ void Xport::PostImage() XmlExit("Missing ID",400,"podcasts.cpp",LINE_NUMBER); } sql=QString("select ")+ - "FEED_ID,"+ // 00 - "DATA,"+ // 01 - "FILE_EXTENSION "+ // 02 + "`FEED_ID`,"+ // 00 + "`DATA`,"+ // 01 + "`FILE_EXTENSION` "+ // 02 "from FEED_IMAGES where "+ QString().sprintf("ID=%d",img_id); q=new RDSqlQuery(sql); @@ -668,10 +668,10 @@ void Xport::RemoveImage() XmlExit("Missing ID",400,"podcasts.cpp",LINE_NUMBER); } sql=QString("select ")+ - "FEED_ID,"+ // 00 - "FILE_EXTENSION "+ // 01 - "from FEED_IMAGES where "+ - QString().sprintf("ID=%d",img_id); + "`FEED_ID`,"+ // 00 + "`FILE_EXTENSION` "+ // 01 + "from `FEED_IMAGES` where "+ + QString().sprintf("`ID`=%d",img_id); q=new RDSqlQuery(sql); if(q->first()) { feed_id=q->value(0).toUInt(); diff --git a/web/rdxport/schedcodes.cpp b/web/rdxport/schedcodes.cpp index f8b392e7..30c0d158 100644 --- a/web/rdxport/schedcodes.cpp +++ b/web/rdxport/schedcodes.cpp @@ -34,7 +34,7 @@ void Xport::ListSchedCodes() // // Generate Scheduler Code List // - sql=QString("select CODE from SCHED_CODES order by CODE"); + sql=QString("select `CODE` from `SCHED_CODES` order by `CODE`"); q=new RDSqlQuery(sql); // diff --git a/web/rdxport/services.cpp b/web/rdxport/services.cpp index 1974fdce..cdc0baf6 100644 --- a/web/rdxport/services.cpp +++ b/web/rdxport/services.cpp @@ -51,22 +51,22 @@ void Xport::ListServices() // // Generate Service List // - sql=QString("select NAME from SERVICES where "); - sql2=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+ - "USER_NAME=\""+RDEscapeString(rda->user()->name())+"\""; + sql=QString("select `NAME` from `SERVICES` where "); + sql2=QString("select `SERVICE_NAME` from `USER_SERVICE_PERMS` where ")+ + "`USER_NAME`='"+RDEscapeString(rda->user()->name())+"'"; q=new RDSqlQuery(sql2); sql+="("; while(q->next()) { - sql+="(NAME=\""+RDEscapeString(q->value(0).toString())+"\")||"; + sql+="(`NAME`='"+RDEscapeString(q->value(0).toString())+"')||"; } sql=sql.left(sql.length()-2); sql+=")"; delete q; if(trackable=="1") { - sql+="&&(TRACK_GROUP!=\"\")&&(TRACK_GROUP is not null)"; + sql+="&&(`TRACK_GROUP`!='')&&(`TRACK_GROUP` is not null)"; } - sql+=" order by NAME"; + sql+=" order by `NAME`"; q=new RDSqlQuery(sql); //