summaryrefslogtreecommitdiff
path: root/src/dal
diff options
context:
space:
mode:
Diffstat (limited to 'src/dal')
-rw-r--r--src/dal/dataprovider.cpp16
-rw-r--r--src/dal/dataprovider.h8
-rw-r--r--src/dal/sqlitedataprovider.cpp2
3 files changed, 25 insertions, 1 deletions
diff --git a/src/dal/dataprovider.cpp b/src/dal/dataprovider.cpp
index 93de865c..4092c6bf 100644
--- a/src/dal/dataprovider.cpp
+++ b/src/dal/dataprovider.cpp
@@ -22,6 +22,7 @@
#include "dataprovider.h"
+#include "../utils/logger.h"
namespace dal
{
@@ -74,4 +75,19 @@ DataProvider::getDbName(void)
}
+std::string& DataProvider::escapeSQL(std::string &sql)
+{
+ size_t pos = 0;
+
+ pos = sql.find("'", pos);
+ while (pos != std::string::npos)
+ {
+ sql.replace(pos, 1, "\'\'");
+ pos += 2;
+ pos = sql.find("'", pos);
+ }
+
+ return sql;
+}
+
} // namespace dal
diff --git a/src/dal/dataprovider.h b/src/dal/dataprovider.h
index 2c0a9de4..7cbc28b9 100644
--- a/src/dal/dataprovider.h
+++ b/src/dal/dataprovider.h
@@ -180,6 +180,14 @@ class DataProvider
virtual const unsigned int
getLastId(void) const = 0;
+ /**
+ * Takes a SQL snippet and escapes special caharacters like ' to prevent
+ * SQL injection attacks.
+ *
+ * @param sql SQL Snippet to escape.
+ */
+ std::string& escapeSQL(std::string &sql);
+
protected:
std::string mDbName; /**< the database name */
bool mIsConnected; /**< the connection status */
diff --git a/src/dal/sqlitedataprovider.cpp b/src/dal/sqlitedataprovider.cpp
index feb85760..77b5a5f5 100644
--- a/src/dal/sqlitedataprovider.cpp
+++ b/src/dal/sqlitedataprovider.cpp
@@ -153,7 +153,7 @@ SqLiteDataProvider::execSql(const std::string& sql,
if (errCode != SQLITE_OK) {
std::string msg(sqlite3_errmsg(mDb));
- LOG_ERROR("Error in SQL: " << msg);
+ LOG_ERROR("Error in SQL: " << sql << "\n" << msg);
// free memory
sqlite3_free_table(result);
generated by cgit v1.2.3-60-g2f50 (git 2.42.0) at 2024-07-13 00:47:00 +0000