Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Make use of %q instead of %s to avoid SQL injections. |
---|---|
Downloads: | Tarball | ZIP archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA1: |
e766df0a69a317946270ec41a3375393 |
User & Date: | drh 2012-08-22 20:19:15.968 |
Context
2012-08-22
| ||
21:30 | two minor typos ... (check-in: 544c1635 user: jan.nijtmans tags: trunk) | |
20:19 | Make use of %q instead of %s to avoid SQL injections. ... (check-in: e766df0a user: drh tags: trunk) | |
11:51 | Merge the TCL argument handling patches into trunk. ... (check-in: b6a7e52c user: drh tags: trunk) | |
Changes
Changes to src/add.c.
︙ | ︙ | |||
91 92 93 94 95 96 97 | if( zAll==0 ){ Blob x; int i; const char *z; blob_zero(&x); for(i=0; (z = fossil_reserved_name(i))!=0; i++){ if( i>0 ) blob_append(&x, ",", 1); | | | 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 | if( zAll==0 ){ Blob x; int i; const char *z; blob_zero(&x); for(i=0; (z = fossil_reserved_name(i))!=0; i++){ if( i>0 ) blob_append(&x, ",", 1); blob_appendf(&x, "'%q'", z); } zAll = blob_str(&x); } return zAll; } /* |
︙ | ︙ | |||
505 506 507 508 509 510 511 | ** Rename a single file. ** ** The original name of the file is zOrig. The new filename is zNew. */ static void mv_one_file(int vid, const char *zOrig, const char *zNew){ fossil_print("RENAME %s %s\n", zOrig, zNew); db_multi_exec( | | | 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 | ** Rename a single file. ** ** The original name of the file is zOrig. The new filename is zNew. */ static void mv_one_file(int vid, const char *zOrig, const char *zNew){ fossil_print("RENAME %s %s\n", zOrig, zNew); db_multi_exec( "UPDATE vfile SET pathname='%q' WHERE pathname='%q' AND vid=%d", zNew, zOrig, vid ); } /* ** COMMAND: mv ** COMMAND: rename* |
︙ | ︙ | |||
589 590 591 592 593 594 595 | const char *zTail; if( nPath==nOrig ){ zTail = file_tail(zPath); }else{ zTail = &zPath[nOrig+1]; } db_multi_exec( | | | 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 | const char *zTail; if( nPath==nOrig ){ zTail = file_tail(zPath); }else{ zTail = &zPath[nOrig+1]; } db_multi_exec( "INSERT INTO mv VALUES('%q','%q%q')", zPath, blob_str(&dest), zTail ); } db_finalize(&q); } } db_prepare(&q, "SELECT f, t FROM mv ORDER BY f"); |
︙ | ︙ |
Changes to src/branch.c.
︙ | ︙ | |||
59 60 61 62 63 64 65 | zBranch = g.argv[3]; if( zBranch==0 || zBranch[0]==0 ){ fossil_panic("branch name cannot be empty"); } if( db_exists( "SELECT 1 FROM tagxref" " WHERE tagtype>0" | | | 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 | zBranch = g.argv[3]; if( zBranch==0 || zBranch[0]==0 ){ fossil_panic("branch name cannot be empty"); } if( db_exists( "SELECT 1 FROM tagxref" " WHERE tagtype>0" " AND tagid=(SELECT tagid FROM tag WHERE tagname='sym-%q')", zBranch)!=0 ){ fossil_fatal("branch \"%s\" already exists", zBranch); } user_select(); db_begin_transaction(); rootid = name_to_typed_rid(g.argv[4], "ci"); |
︙ | ︙ |
Changes to src/info.c.
︙ | ︙ | |||
228 229 230 231 232 233 234 | int cnt = 0; db_prepare(&q, "SELECT tag.tagid, tagname, " " (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d)," " value, datetime(tagxref.mtime,'localtime'), tagtype," " (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)" " FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid" | | | 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 | int cnt = 0; db_prepare(&q, "SELECT tag.tagid, tagname, " " (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d)," " value, datetime(tagxref.mtime,'localtime'), tagtype," " (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)" " FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid" " WHERE tagxref.rid=%d AND tagname NOT GLOB '%q'" " ORDER BY tagname /*sort*/", rid, rid, rid, zNotGlob ); while( db_step(&q)==SQLITE_ROW ){ const char *zTagname = db_column_text(&q, 1); const char *zSrcUuid = db_column_text(&q, 2); const char *zValue = db_column_text(&q, 3); const char *zDate = db_column_text(&q, 4); |
︙ | ︙ |
Changes to src/tkt.c.
︙ | ︙ | |||
464 465 466 467 468 469 470 | blob_appendf(&tktchng, "J %s %#F\n", azField[i], nValue, zValue); } } } } if( *(char**)pUuid ){ zUuid = db_text(0, | | | 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 | blob_appendf(&tktchng, "J %s %#F\n", azField[i], nValue, zValue); } } } } if( *(char**)pUuid ){ zUuid = db_text(0, "SELECT tkt_uuid FROM ticket WHERE tkt_uuid GLOB '%q*'", P("name") ); }else{ zUuid = db_text(0, "SELECT lower(hex(randomblob(20)))"); } *(const char**)pUuid = zUuid; blob_appendf(&tktchng, "K %s\n", zUuid); blob_appendf(&tktchng, "U %F\n", g.zLogin ? g.zLogin : ""); |
︙ | ︙ |