2021-04-23 Fred Gleason <fredg@paravelsystems.com>

* Escaped all SQL identifiers in 'web/rdxport/'. * Replaced " with ' delimiters in all SQL literal strings in 'web/rdxport/'. Signed-off-by: Fred Gleason <fredg@paravelsystems.com>
2025-06-12 06:10:27 +02:00 · 2021-04-23 13:55:42 -04:00 · 2021-04-23 13:55:42 -04:00 · 703299899c
commit 703299899c
parent ac82d7356a
8 changed files with 54 additions and 48 deletions
--- a/4
+++ b/4
@ -21587,3 +21587,7 @@
 	* Escaped all SQL identifiers in 'utils/rdmarkerset/'.
 	* Replaced " with ' delimiters in all SQL literal strings in
 	'utils/rdmarkerset/'.
 2021-04-23 Fred Gleason <fredg@paravelsystems.com>
 	* Escaped all SQL identifiers in 'web/rdxport/'.
 	* Replaced " with ' delimiters in all SQL literal strings in
 	'web/rdxport/'.
--- a/web/rdxport/carts.cpp
+++ b/web/rdxport/carts.cpp
@ -151,9 +151,9 @@ void Xport::ListCarts()
    where=RDAllCartSearchText(filter,"",rda->user()->name(),false);
  }
  else {
-    sql=QString("select GROUP_NAME from USER_PERMS where ")+
+    sql=QString("select `GROUP_NAME` from `USER_PERMS` where ")+
-      "(GROUP_NAME=\""+RDEscapeString(group_name)+"\")&&"+
+      "(`GROUP_NAME`='"+RDEscapeString(group_name)+"')&&"+
-      "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")";
+      "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')";
    q=new RDSqlQuery(sql);
    if(!q->first()) {
      delete q;
@ -162,9 +162,9 @@ void Xport::ListCarts()
    where=RDCartSearchText(filter,group_name,"",false);
  }
  if(cart_type!=RDCart::All) {
-    where+=QString().sprintf("&&(TYPE=%u)",cart_type);
+    where+=QString().sprintf("&&(`TYPE`=%u)",cart_type);
  }
-  sql=RDCart::xmlSql(include_cuts)+where+" order by CART.NUMBER";
+  sql=RDCart::xmlSql(include_cuts)+where+" order by `CART`.`NUMBER`";
  q=new RDSqlQuery(sql);
  //
@ -529,7 +529,7 @@ void Xport::ListCuts()
  // Process Request
  //
  sql=RDCart::xmlSql(true)+
-    QString().sprintf(" where CART.NUMBER=%u",cart_number);
+    QString().sprintf(" where `CART`.`NUMBER`=%u",cart_number);
  q=new RDSqlQuery(sql);
  printf("Content-type: application/xml\n");
  printf("Status: 200\n\n");
--- a/web/rdxport/deleteaudio.cpp
+++ b/web/rdxport/deleteaudio.cpp
@ -60,8 +60,8 @@ void Xport::DeleteAudio()
  }
  unlink(RDCut::pathName(cartnum,cutnum).toUtf8());
  unlink((RDCut::pathName(cartnum,cutnum)+".energy").toUtf8());
-  QString sql=QString("delete from CUT_EVENTS where ")+
+  QString sql=QString("delete from `CUT_EVENTS` where ")+
-    "CUT_NAME=\""+RDCut::cutName(cartnum,cutnum)+"\"";
+    "`CUT_NAME`='"+RDCut::cutName(cartnum,cutnum)+"'";
  RDSqlQuery *q=new RDSqlQuery(sql);
  delete q;
  SendNotification(RDNotification::CartType,RDNotification::ModifyAction,
--- a/web/rdxport/groups.cpp
+++ b/web/rdxport/groups.cpp
@ -44,9 +44,9 @@ void Xport::ListGroups()
  // Generate Group List
  //
  sql=QString("select ")+
-    "GROUP_NAME from USER_PERMS where "+
+    "`GROUP_NAME` from `USER_PERMS` where "+
-    "USER_NAME=\""+RDEscapeString(rda->user()->name())+"\" "+
+    "`USER_NAME`='"+RDEscapeString(rda->user()->name())+"' "+
-    "order by GROUP_NAME";
+    "order by `GROUP_NAME`";
  q=new RDSqlQuery(sql);
  //
@ -86,9 +86,9 @@ void Xport::ListGroup()
  // Check Group Accessibility
  //
  sql=QString("select ")+
-    "GROUP_NAME from USER_PERMS	where "+
+    "`GROUP_NAME` from `USER_PERMS` where "+
-    "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")&&"+
+    "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')&&"+
-    "(GROUP_NAME=\""+RDEscapeString(group_name)+"\")";
+    "(`GROUP_NAME`='"+RDEscapeString(group_name)+"')";
  q=new RDSqlQuery(sql);
  if(!q->first()) {
    delete q;
--- a/web/rdxport/logs.cpp
+++ b/web/rdxport/logs.cpp
@ -132,38 +132,38 @@ void Xport::ListLogs()
  //
  // Generate Log List
  //
-  sql="select NAME from LOGS";
+  sql="select `NAME` from `LOGS`";
  sql+=" where";
  if(!log_name.isEmpty()) {
-    sql+=" (NAME=\""+RDEscapeString(log_name)+"\")&&";
+    sql+=" (`NAME`='"+RDEscapeString(log_name)+"')&&";
  }
  if(service_name.isEmpty()) {
-    QString sql2=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
+    QString sql2=QString("select `SERVICE_NAME` from `USER_SERVICE_PERMS` where ")+
-      "USER_NAME=\""+RDEscapeString(rda->user()->name())+"\"";
+      "`USER_NAME`='"+RDEscapeString(rda->user()->name())+"'";
    q=new RDSqlQuery(sql2);
    sql+="(";
    while(q->next()) {
-      sql+="(SERVICE=\""+RDEscapeString(q->value(0).toString())+"\")||";
+      sql+="(`SERVICE`='"+RDEscapeString(q->value(0).toString())+"')||";
    }
    sql=sql.left(sql.length()-2);
    sql+=")&&";
    delete q;
  }
  else {
-    sql+=" (SERVICE=\""+RDEscapeString(service_name)+"\")&&";
+    sql+=" (`SERVICE`='"+RDEscapeString(service_name)+"')&&";
  }
  if(trackable=="1") {
-    sql+=" (SCHEDULED_TRACKS>0)&&";
+    sql+=" (`SCHEDULED_TRACKS`>0)&&";
  }
  if(!filter.isEmpty()) {
    if(service_name.isEmpty()) {
-      sql+=" ((LOGS.NAME like \"%%"+RDEscapeString(filter)+"%%\")||";
+      sql+=" ((`LOGS`.`NAME` like '%%"+RDEscapeString(filter)+"%%')||";
-      sql+="(LOGS.DESCRIPTION like \"%%"+RDEscapeString(filter)+"%%\")||";
+      sql+="(`LOGS`.`DESCRIPTION` like '%%"+RDEscapeString(filter)+"%%')||";
-      sql+="(LOGS.SERVICE like \"%%"+RDEscapeString(filter)+"%%\"))&&";
+      sql+="(`LOGS`.`SERVICE` like '%%"+RDEscapeString(filter)+"%%'))&&";
    }
    else {
-      sql+=" ((LOGS.NAME like \"%%"+RDEscapeString(filter)+"%%\")||";
+      sql+=" ((`LOGS`.`NAME` like '%%"+RDEscapeString(filter)+"%%')||";
-      sql+="(LOGS.DESCRIPTION like \"%%"+RDEscapeString(filter)+"%%\"))&&";
+      sql+="(`LOGS`.`DESCRIPTION` like '%%"+RDEscapeString(filter)+"%%'))&&";
    }
  }
  sql=sql.trimmed();
@ -175,11 +175,11 @@ void Xport::ListLogs()
    sql=sql.left(sql.length()-5);
  }
  if(recent=="1") {
-    sql+=QString().sprintf(" order by LOGS.ORIGIN_DATETIME desc limit %d",
+    sql+=QString().sprintf(" order by `LOGS`.`ORIGIN_DATETIME` desc limit %d",
 			   RD_LOGFILTER_LIMIT_QUAN);
  }
  else {
-    sql+=" order by NAME";
+    sql+=" order by `NAME`";
  }
  q=new RDSqlQuery(sql);
@ -631,9 +631,10 @@ void Xport::LockLog()
 RDSvc *Xport::GetLogService(const QString &svc_name)
 {
-  QString sql=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
+  QString sql=QString("select `SERVICE_NAME` ")+
-    "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")&&"+
+    "from `USER_SERVICE_PERMS` where "+
-    "(SERVICE_NAME=\""+RDEscapeString(svc_name)+"\")";
+    "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')&&"+
    "(`SERVICE_NAME`='"+RDEscapeString(svc_name)+"')";
  RDSqlQuery *q=new RDSqlQuery(sql);
  if(!q->first()) {
    XmlExit("No such service",404,"logs.cpp",LINE_NUMBER);
@ -652,9 +653,10 @@ bool Xport::ServiceUserValid(const QString &svc_name)
 {
  bool ret=false;
-  QString sql=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
+  QString sql=QString("select `SERVICE_NAME` ")+
-    "(SERVICE_NAME=\""+RDEscapeString(svc_name)+"\")&&"+
+    "from `USER_SERVICE_PERMS` where "+
-    "(USER_NAME=\""+RDEscapeString(rda->user()->name())+"\")";
+    "(`SERVICE_NAME`='"+RDEscapeString(svc_name)+"')&&"+
    "(`USER_NAME`='"+RDEscapeString(rda->user()->name())+"')";
  RDSqlQuery *q=new RDSqlQuery(sql);
  ret=q->first();
  delete q;
--- a/web/rdxport/podcasts.cpp
+++ b/web/rdxport/podcasts.cpp
@ -556,9 +556,9 @@ void Xport::PostImage()
    XmlExit("Missing ID",400,"podcasts.cpp",LINE_NUMBER);
  }
  sql=QString("select ")+
-    "FEED_ID,"+         // 00
+    "`FEED_ID`,"+         // 00
-    "DATA,"+            // 01
+    "`DATA`,"+            // 01
-    "FILE_EXTENSION "+  // 02
+    "`FILE_EXTENSION` "+  // 02
    "from FEED_IMAGES where "+
    QString().sprintf("ID=%d",img_id);
  q=new RDSqlQuery(sql);
@ -668,10 +668,10 @@ void Xport::RemoveImage()
    XmlExit("Missing ID",400,"podcasts.cpp",LINE_NUMBER);
  }
  sql=QString("select ")+
-    "FEED_ID,"+         // 00
+    "`FEED_ID`,"+         // 00
-    "FILE_EXTENSION "+  // 01
+    "`FILE_EXTENSION` "+  // 01
-    "from FEED_IMAGES where "+
+    "from `FEED_IMAGES` where "+
-    QString().sprintf("ID=%d",img_id);
+    QString().sprintf("`ID`=%d",img_id);
  q=new RDSqlQuery(sql);
  if(q->first()) {
    feed_id=q->value(0).toUInt();
--- a/web/rdxport/schedcodes.cpp
+++ b/web/rdxport/schedcodes.cpp
@ -34,7 +34,7 @@ void Xport::ListSchedCodes()
  //
  // Generate Scheduler Code List
  //
-  sql=QString("select CODE from SCHED_CODES order by CODE");
+  sql=QString("select `CODE` from `SCHED_CODES` order by `CODE`");
  q=new RDSqlQuery(sql);
  //
--- a/web/rdxport/services.cpp
+++ b/web/rdxport/services.cpp
@ -51,22 +51,22 @@ void Xport::ListServices()
  //
  // Generate Service List
  //
-  sql=QString("select NAME from SERVICES where ");
+  sql=QString("select `NAME` from `SERVICES` where ");
-  sql2=QString("select SERVICE_NAME from USER_SERVICE_PERMS where ")+
+  sql2=QString("select `SERVICE_NAME` from `USER_SERVICE_PERMS` where ")+
-    "USER_NAME=\""+RDEscapeString(rda->user()->name())+"\"";
+    "`USER_NAME`='"+RDEscapeString(rda->user()->name())+"'";
  q=new RDSqlQuery(sql2);
  sql+="(";
  while(q->next()) {
-    sql+="(NAME=\""+RDEscapeString(q->value(0).toString())+"\")||";
+    sql+="(`NAME`='"+RDEscapeString(q->value(0).toString())+"')||";
  }
  sql=sql.left(sql.length()-2);
  sql+=")";
  delete q;
  if(trackable=="1") {
-    sql+="&&(TRACK_GROUP!=\"\")&&(TRACK_GROUP is not null)";
+    sql+="&&(`TRACK_GROUP`!='')&&(`TRACK_GROUP` is not null)";
  }
-  sql+=" order by NAME";
+  sql+=" order by `NAME`";
  q=new RDSqlQuery(sql);
  //