Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
| Comment: | Make use of %q instead of %s to avoid SQL injections. |
|---|---|
| Downloads: | Tarball | ZIP archive |
| Timelines: | family | ancestors | descendants | both | trunk |
| Files: | files | file ages | folders |
| SHA1: |
e766df0a69a317946270ec41a3375393 |
| User & Date: | drh 2012-08-22 20:19:15.968 |
Context
|
2012-08-22
| ||
| 21:30 | two minor typos ... (check-in: 544c163551 user: jan.nijtmans tags: trunk) | |
| 20:19 | Make use of %q instead of %s to avoid SQL injections. ... (check-in: e766df0a69 user: drh tags: trunk) | |
| 11:51 | Merge the TCL argument handling patches into trunk. ... (check-in: b6a7e52c93 user: drh tags: trunk) | |
Changes
Changes to src/add.c.
| ︙ | ︙ | |||
91 92 93 94 95 96 97 |
if( zAll==0 ){
Blob x;
int i;
const char *z;
blob_zero(&x);
for(i=0; (z = fossil_reserved_name(i))!=0; i++){
if( i>0 ) blob_append(&x, ",", 1);
| | | 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 |
if( zAll==0 ){
Blob x;
int i;
const char *z;
blob_zero(&x);
for(i=0; (z = fossil_reserved_name(i))!=0; i++){
if( i>0 ) blob_append(&x, ",", 1);
blob_appendf(&x, "'%q'", z);
}
zAll = blob_str(&x);
}
return zAll;
}
/*
|
| ︙ | ︙ | |||
505 506 507 508 509 510 511 |
** Rename a single file.
**
** The original name of the file is zOrig. The new filename is zNew.
*/
static void mv_one_file(int vid, const char *zOrig, const char *zNew){
fossil_print("RENAME %s %s\n", zOrig, zNew);
db_multi_exec(
| | | 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 |
** Rename a single file.
**
** The original name of the file is zOrig. The new filename is zNew.
*/
static void mv_one_file(int vid, const char *zOrig, const char *zNew){
fossil_print("RENAME %s %s\n", zOrig, zNew);
db_multi_exec(
"UPDATE vfile SET pathname='%q' WHERE pathname='%q' AND vid=%d",
zNew, zOrig, vid
);
}
/*
** COMMAND: mv
** COMMAND: rename*
|
| ︙ | ︙ | |||
589 590 591 592 593 594 595 |
const char *zTail;
if( nPath==nOrig ){
zTail = file_tail(zPath);
}else{
zTail = &zPath[nOrig+1];
}
db_multi_exec(
| | | 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 |
const char *zTail;
if( nPath==nOrig ){
zTail = file_tail(zPath);
}else{
zTail = &zPath[nOrig+1];
}
db_multi_exec(
"INSERT INTO mv VALUES('%q','%q%q')",
zPath, blob_str(&dest), zTail
);
}
db_finalize(&q);
}
}
db_prepare(&q, "SELECT f, t FROM mv ORDER BY f");
|
| ︙ | ︙ |
Changes to src/branch.c.
| ︙ | ︙ | |||
59 60 61 62 63 64 65 |
zBranch = g.argv[3];
if( zBranch==0 || zBranch[0]==0 ){
fossil_panic("branch name cannot be empty");
}
if( db_exists(
"SELECT 1 FROM tagxref"
" WHERE tagtype>0"
| | | 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 |
zBranch = g.argv[3];
if( zBranch==0 || zBranch[0]==0 ){
fossil_panic("branch name cannot be empty");
}
if( db_exists(
"SELECT 1 FROM tagxref"
" WHERE tagtype>0"
" AND tagid=(SELECT tagid FROM tag WHERE tagname='sym-%q')",
zBranch)!=0 ){
fossil_fatal("branch \"%s\" already exists", zBranch);
}
user_select();
db_begin_transaction();
rootid = name_to_typed_rid(g.argv[4], "ci");
|
| ︙ | ︙ |
Changes to src/info.c.
| ︙ | ︙ | |||
228 229 230 231 232 233 234 |
int cnt = 0;
db_prepare(&q,
"SELECT tag.tagid, tagname, "
" (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d),"
" value, datetime(tagxref.mtime,'localtime'), tagtype,"
" (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)"
" FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid"
| | | 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 |
int cnt = 0;
db_prepare(&q,
"SELECT tag.tagid, tagname, "
" (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d),"
" value, datetime(tagxref.mtime,'localtime'), tagtype,"
" (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)"
" FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid"
" WHERE tagxref.rid=%d AND tagname NOT GLOB '%q'"
" ORDER BY tagname /*sort*/", rid, rid, rid, zNotGlob
);
while( db_step(&q)==SQLITE_ROW ){
const char *zTagname = db_column_text(&q, 1);
const char *zSrcUuid = db_column_text(&q, 2);
const char *zValue = db_column_text(&q, 3);
const char *zDate = db_column_text(&q, 4);
|
| ︙ | ︙ |
Changes to src/tkt.c.
| ︙ | ︙ | |||
464 465 466 467 468 469 470 |
blob_appendf(&tktchng, "J %s %#F\n", azField[i], nValue, zValue);
}
}
}
}
if( *(char**)pUuid ){
zUuid = db_text(0,
| | | 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 |
blob_appendf(&tktchng, "J %s %#F\n", azField[i], nValue, zValue);
}
}
}
}
if( *(char**)pUuid ){
zUuid = db_text(0,
"SELECT tkt_uuid FROM ticket WHERE tkt_uuid GLOB '%q*'", P("name")
);
}else{
zUuid = db_text(0, "SELECT lower(hex(randomblob(20)))");
}
*(const char**)pUuid = zUuid;
blob_appendf(&tktchng, "K %s\n", zUuid);
blob_appendf(&tktchng, "U %F\n", g.zLogin ? g.zLogin : "");
|
| ︙ | ︙ |