diff options
author | Andreas Habel <mail@exceptionfault.de> | 2008-11-05 13:40:13 +0000 |
---|---|---|
committer | Andreas Habel <mail@exceptionfault.de> | 2008-11-05 13:40:13 +0000 |
commit | 1af60893e6737942c2079c794d53a4e21cf87c58 (patch) | |
tree | 53bf04c21499adc8c2f23d40351d0525753c648a /src/dal | |
parent | 94bf187c196769b87fbbfa9a9c083f94def82ccf (diff) | |
download | manaserv-1af60893e6737942c2079c794d53a4e21cf87c58.tar.gz manaserv-1af60893e6737942c2079c794d53a4e21cf87c58.tar.bz2 manaserv-1af60893e6737942c2079c794d53a4e21cf87c58.tar.xz manaserv-1af60893e6737942c2079c794d53a4e21cf87c58.zip |
* Account server now loads item database on startup and synchronizes tmw_items table in the database.
* Added method to DataProvider to escape quotes in strings so that they can be used in SQL statements.
Diffstat (limited to 'src/dal')
-rw-r--r-- | src/dal/dataprovider.cpp | 16 | ||||
-rw-r--r-- | src/dal/dataprovider.h | 8 | ||||
-rw-r--r-- | src/dal/sqlitedataprovider.cpp | 2 |
3 files changed, 25 insertions, 1 deletions
diff --git a/src/dal/dataprovider.cpp b/src/dal/dataprovider.cpp index 93de865c..4092c6bf 100644 --- a/src/dal/dataprovider.cpp +++ b/src/dal/dataprovider.cpp @@ -22,6 +22,7 @@ #include "dataprovider.h" +#include "../utils/logger.h" namespace dal { @@ -74,4 +75,19 @@ DataProvider::getDbName(void) } +std::string& DataProvider::escapeSQL(std::string &sql) +{ + size_t pos = 0; + + pos = sql.find("'", pos); + while (pos != std::string::npos) + { + sql.replace(pos, 1, "\'\'"); + pos += 2; + pos = sql.find("'", pos); + } + + return sql; +} + } // namespace dal diff --git a/src/dal/dataprovider.h b/src/dal/dataprovider.h index 2c0a9de4..7cbc28b9 100644 --- a/src/dal/dataprovider.h +++ b/src/dal/dataprovider.h @@ -180,6 +180,14 @@ class DataProvider virtual const unsigned int getLastId(void) const = 0; + /** + * Takes a SQL snippet and escapes special caharacters like ' to prevent + * SQL injection attacks. + * + * @param sql SQL Snippet to escape. + */ + std::string& escapeSQL(std::string &sql); + protected: std::string mDbName; /**< the database name */ bool mIsConnected; /**< the connection status */ diff --git a/src/dal/sqlitedataprovider.cpp b/src/dal/sqlitedataprovider.cpp index feb85760..77b5a5f5 100644 --- a/src/dal/sqlitedataprovider.cpp +++ b/src/dal/sqlitedataprovider.cpp @@ -153,7 +153,7 @@ SqLiteDataProvider::execSql(const std::string& sql, if (errCode != SQLITE_OK) { std::string msg(sqlite3_errmsg(mDb)); - LOG_ERROR("Error in SQL: " << msg); + LOG_ERROR("Error in SQL: " << sql << "\n" << msg); // free memory sqlite3_free_table(result); |