Temporær fiks for sql injection. Bør gjøres med prepared statements

2012-11-29 14:57:13 +00:00 · 2012-11-29 14:57:13 +00:00 · 2c07495d82
parent 953f1fe842
commit 2c07495d82
1 changed files with 18 additions and 3 deletions
--- a/mysql-dbadm.c
+++ b/mysql-dbadm.c
@ -573,13 +573,28 @@ main(int argc, char *argv[])
          }
          break;
        case c_drop:
-          drop(&mysql, db);
+          if(dbname_isclean(db)) {
+            drop(&mysql, db);
+          } else {
+            dberror(NULL, "Database name '%s' contains invalid characters.\n"
+                        "Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", db);
+          }
          break;
        case c_editperm:
-          editperm(&mysql, db);
+          if(dbname_isclean(db)) {
+            editperm(&mysql, db);
+          } else {
+            dberror(NULL, "Database name '%s' contains invalid characters.\n"
+                        "Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", db);
+          }
          break;
        case c_show:
-          show(&mysql, db);
+          if(dbname_isclean(db)) {
+            show(&mysql, db);
+          } else {
+            dberror(NULL, "Database name '%s' contains invalid characters.\n"
+                        "Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", db);
+          }
          break;
        default:
          return dberror(NULL, "This point should never be reached!");