diff options
Diffstat (limited to 'src/dal')
-rw-r--r-- | src/dal/dataprovider.cpp | 16 | ||||
-rw-r--r-- | src/dal/dataprovider.h | 8 | ||||
-rw-r--r-- | src/dal/sqlitedataprovider.cpp | 2 |
3 files changed, 25 insertions, 1 deletions
diff --git a/src/dal/dataprovider.cpp b/src/dal/dataprovider.cpp index 93de865c..4092c6bf 100644 --- a/src/dal/dataprovider.cpp +++ b/src/dal/dataprovider.cpp @@ -22,6 +22,7 @@ #include "dataprovider.h" +#include "../utils/logger.h" namespace dal { @@ -74,4 +75,19 @@ DataProvider::getDbName(void) } +std::string& DataProvider::escapeSQL(std::string &sql) +{ + size_t pos = 0; + + pos = sql.find("'", pos); + while (pos != std::string::npos) + { + sql.replace(pos, 1, "\'\'"); + pos += 2; + pos = sql.find("'", pos); + } + + return sql; +} + } // namespace dal diff --git a/src/dal/dataprovider.h b/src/dal/dataprovider.h index 2c0a9de4..7cbc28b9 100644 --- a/src/dal/dataprovider.h +++ b/src/dal/dataprovider.h @@ -180,6 +180,14 @@ class DataProvider virtual const unsigned int getLastId(void) const = 0; + /** + * Takes a SQL snippet and escapes special caharacters like ' to prevent + * SQL injection attacks. + * + * @param sql SQL Snippet to escape. + */ + std::string& escapeSQL(std::string &sql); + protected: std::string mDbName; /**< the database name */ bool mIsConnected; /**< the connection status */ diff --git a/src/dal/sqlitedataprovider.cpp b/src/dal/sqlitedataprovider.cpp index feb85760..77b5a5f5 100644 --- a/src/dal/sqlitedataprovider.cpp +++ b/src/dal/sqlitedataprovider.cpp @@ -153,7 +153,7 @@ SqLiteDataProvider::execSql(const std::string& sql, if (errCode != SQLITE_OK) { std::string msg(sqlite3_errmsg(mDb)); - LOG_ERROR("Error in SQL: " << msg); + LOG_ERROR("Error in SQL: " << sql << "\n" << msg); // free memory sqlite3_free_table(result); |