Bruker mysql_real_escape_string på alle spørringer
This commit is contained in:
parent
34bb77eca7
commit
59e7d4782e
127
mysql-dbadm.c
127
mysql-dbadm.c
|
@ -1,11 +1,13 @@
|
||||||
/*
|
/*
|
||||||
* @(#) $Header: /tmp/cvs/mysql-admutils/mysql-dbadm.c,v 1.21 2007-06-07 11:43:52 geirha Exp $
|
* @(#) $Header: /home/stud/admin/cvs/mysql-admutils/mysql-dbadm.c,v 1.20 2007/06/04 08:40:54 geirha Exp $
|
||||||
*
|
*
|
||||||
* mysql-dbadm.c
|
* mysql-dbadm.c
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <config.h>
|
#include "config.h"
|
||||||
|
#include "mysql-admutils.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <mysql.h>
|
#include <mysql.h>
|
||||||
|
@ -16,12 +18,18 @@
|
||||||
#include <grp.h>
|
#include <grp.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include "mysql-admutils.h"
|
|
||||||
|
|
||||||
/* New database names may only use these characters in their identifier */
|
/* New database names may only use these characters in their identifier */
|
||||||
const char dbname_validchars[] =
|
const char dbname_validchars[] =
|
||||||
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
|
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
|
||||||
|
|
||||||
|
/* same as strcpy, but returns a pointer to the end of dest instead of start */
|
||||||
|
char *strmov(char *dest, const char *src) {
|
||||||
|
while ((*dest++ = *src++))
|
||||||
|
;
|
||||||
|
return dest-1;
|
||||||
|
}
|
||||||
|
|
||||||
/* Returns true if dbname contains only characters in dbname_validchars. */
|
/* Returns true if dbname contains only characters in dbname_validchars. */
|
||||||
int dbname_isclean(char* dbname) {
|
int dbname_isclean(char* dbname) {
|
||||||
int reallen, cleanlen;
|
int reallen, cleanlen;
|
||||||
|
@ -138,8 +146,14 @@ create(MYSQL *pmysql, char *db)
|
||||||
}
|
}
|
||||||
mysql_select_db(pmysql, "mysql");
|
mysql_select_db(pmysql, "mysql");
|
||||||
// oppretter databasen.
|
// oppretter databasen.
|
||||||
char query[1024];
|
char query[1024], *end;
|
||||||
sprintf(query, "create database `%s`", db);
|
end = strmov(query, "CREATE DATABASE `");
|
||||||
|
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||||
|
*end++ = '`';
|
||||||
|
*end = '\0';
|
||||||
|
#ifdef DEBUG
|
||||||
|
printf("query: %s\n", query);
|
||||||
|
#endif
|
||||||
if (mysql_query(pmysql, query))
|
if (mysql_query(pmysql, query))
|
||||||
return dberror(pmysql, "Cannot create database '%s'.", db);
|
return dberror(pmysql, "Cannot create database '%s'.", db);
|
||||||
fprintf(stderr, "Database '%s' created.\n", db);
|
fprintf(stderr, "Database '%s' created.\n", db);
|
||||||
|
@ -150,9 +164,16 @@ create(MYSQL *pmysql, char *db)
|
||||||
int
|
int
|
||||||
drop(MYSQL *pmysql, char *db)
|
drop(MYSQL *pmysql, char *db)
|
||||||
{
|
{
|
||||||
char query[1024];
|
char query[1024], *end;
|
||||||
|
|
||||||
sprintf(query, "delete from db where db = '%s'", db);
|
end = strmov(query, "DELETE FROM db WHERE db = '");
|
||||||
|
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||||
|
*end++ = '\'';
|
||||||
|
*end = '\0';
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
printf("query: %s\n", query);
|
||||||
|
#endif
|
||||||
if (mysql_query(pmysql, query))
|
if (mysql_query(pmysql, query))
|
||||||
dberror(pmysql, "Failed to delete permissions for database '%s'.", db);
|
dberror(pmysql, "Failed to delete permissions for database '%s'.", db);
|
||||||
|
|
||||||
|
@ -162,7 +183,14 @@ drop(MYSQL *pmysql, char *db)
|
||||||
}
|
}
|
||||||
mysql_select_db(pmysql, "mysql");
|
mysql_select_db(pmysql, "mysql");
|
||||||
|
|
||||||
sprintf(query, "drop database `%s`", db);
|
end = strmov(query, "DROP DATABASE `");
|
||||||
|
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||||
|
*end++ = '`';
|
||||||
|
*end = '\0';
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
printf("query: %s\n", query);
|
||||||
|
#endif
|
||||||
if (mysql_query(pmysql, query))
|
if (mysql_query(pmysql, query))
|
||||||
return dberror(pmysql, "Cannot drop database '%s'.", db);
|
return dberror(pmysql, "Cannot drop database '%s'.", db);
|
||||||
|
|
||||||
|
@ -246,8 +274,7 @@ list(MYSQL *pmysql)
|
||||||
|
|
||||||
|
|
||||||
free(wild);
|
free(wild);
|
||||||
free(res);
|
mysql_free_result(res);
|
||||||
free(cp_kopi);
|
|
||||||
cp++;
|
cp++;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -272,6 +299,7 @@ list(MYSQL *pmysql)
|
||||||
dblist[counter++] = strdup(row[0]);
|
dblist[counter++] = strdup(row[0]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
mysql_free_result(res);
|
||||||
|
|
||||||
res = mysql_list_dbs(pmysql, p->pw_name);
|
res = mysql_list_dbs(pmysql, p->pw_name);
|
||||||
rows = mysql_num_rows(res);
|
rows = mysql_num_rows(res);
|
||||||
|
@ -280,7 +308,10 @@ list(MYSQL *pmysql)
|
||||||
|
|
||||||
dblist[counter] = NULL;
|
dblist[counter] = NULL;
|
||||||
|
|
||||||
|
mysql_free_result(res);
|
||||||
free(wild);
|
free(wild);
|
||||||
|
for (i=0;i<numgroups;i++)
|
||||||
|
free(usr_groups[i]);
|
||||||
free(usr_groups);
|
free(usr_groups);
|
||||||
return dblist;
|
return dblist;
|
||||||
}
|
}
|
||||||
|
@ -289,15 +320,23 @@ list(MYSQL *pmysql)
|
||||||
int
|
int
|
||||||
writeperm(FILE *f, MYSQL *pmysql, const char *db)
|
writeperm(FILE *f, MYSQL *pmysql, const char *db)
|
||||||
{
|
{
|
||||||
char query[1024];
|
char query[2048], *end;
|
||||||
MYSQL_RES *res;
|
MYSQL_RES *res;
|
||||||
int rows, i;
|
int rows, i;
|
||||||
MYSQL_ROW row;
|
MYSQL_ROW row;
|
||||||
|
|
||||||
sprintf(query, "select user,select_priv,insert_priv,update_priv,"
|
end = strmov(query, "SELECT user,select_priv,insert_priv,update_priv,"
|
||||||
"delete_priv,create_priv,drop_priv,alter_priv,index_priv,"
|
"delete_priv,create_priv,drop_priv,"
|
||||||
"create_tmp_table_priv,lock_tables_priv from db where db='%s'", db);
|
"alter_priv,index_priv,"
|
||||||
|
"create_tmp_table_priv,lock_tables_priv "
|
||||||
|
"FROM db WHERE db = '");
|
||||||
|
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||||
|
*end++ = '\'';
|
||||||
|
*end = '\0';
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
printf("query: %s\n", query);
|
||||||
|
#endif
|
||||||
if (mysql_query(pmysql, query))
|
if (mysql_query(pmysql, query))
|
||||||
return dberror(pmysql, "Query for permissions failed.");
|
return dberror(pmysql, "Query for permissions failed.");
|
||||||
res = mysql_store_result(pmysql);
|
res = mysql_store_result(pmysql);
|
||||||
|
@ -318,7 +357,7 @@ writeperm(FILE *f, MYSQL *pmysql, const char *db)
|
||||||
row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10]);
|
row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
free(res);
|
mysql_free_result(res);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -349,17 +388,17 @@ editperm(MYSQL *pmysql, const char *db)
|
||||||
char *user, *select_priv, *insert_priv, *update_priv, *delete_priv,
|
char *user, *select_priv, *insert_priv, *update_priv, *delete_priv,
|
||||||
*create_priv, *drop_priv, *alter_priv, *index_priv, *create_tmp_table_priv,
|
*create_priv, *drop_priv, *alter_priv, *index_priv, *create_tmp_table_priv,
|
||||||
*lock_tables_priv;
|
*lock_tables_priv;
|
||||||
char query[1024]; /* used to build a query */
|
char query[4096], *end; /* used to build a query */
|
||||||
char *queries[MAX_GRANTS]; /* insert queries */
|
char *queries[MAX_GRANTS]; /* insert queries */
|
||||||
int lines; /* number of grant lines processed */
|
int lines; /* number of grant lines processed */
|
||||||
int i; /* iterate through lines[] */
|
int i; /* iterate through lines[] */
|
||||||
|
|
||||||
mkstemp(fn);
|
int fd = mkstemp(fn);
|
||||||
|
|
||||||
if (strcmp(fn, "") == 0)
|
if (fd == -1)
|
||||||
return dberror(NULL, "Cannot create a unique temporary file name.");
|
return dberror(NULL, "Cannot create a unique temporary file name.");
|
||||||
|
|
||||||
f = fopen(fn, "w");
|
f = fdopen(fd, "w");
|
||||||
if (f == NULL)
|
if (f == NULL)
|
||||||
return dberror(NULL, "Failed to open temporary file %s.", fn);
|
return dberror(NULL, "Failed to open temporary file %s.", fn);
|
||||||
writeperm(f, pmysql, db);
|
writeperm(f, pmysql, db);
|
||||||
|
@ -432,12 +471,39 @@ editperm(MYSQL *pmysql, const char *db)
|
||||||
#undef STRTOK_WHITESPACE
|
#undef STRTOK_WHITESPACE
|
||||||
#undef CHECK_PRIV
|
#undef CHECK_PRIV
|
||||||
|
|
||||||
sprintf(query, "insert into db (host, db, user, select_priv, insert_priv, "
|
end = strmov(query, "INSERT INTO db ("
|
||||||
"update_priv, delete_priv, create_priv, drop_priv, alter_priv, index_priv, "
|
"host,db,user,select_priv,insert_priv,"
|
||||||
"create_tmp_table_priv, lock_tables_priv) values "
|
"update_priv,delete_priv,create_priv,"
|
||||||
"('%%', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
|
"drop_priv,alter_priv,index_priv,"
|
||||||
db, user, select_priv, insert_priv, update_priv, delete_priv,
|
"create_tmp_table_priv,lock_tables_priv"
|
||||||
create_priv, drop_priv, alter_priv, index_priv, create_tmp_table_priv, lock_tables_priv);
|
") VALUES (");
|
||||||
|
|
||||||
|
end = strmov(end, "'%'");
|
||||||
|
|
||||||
|
#define APPEND(VAR) {\
|
||||||
|
*end++ = ',';\
|
||||||
|
*end++ = '\'';\
|
||||||
|
end += mysql_real_escape_string(pmysql, end, VAR, strlen(VAR));\
|
||||||
|
*end++ = '\'';\
|
||||||
|
}
|
||||||
|
|
||||||
|
APPEND(db);
|
||||||
|
APPEND(user);
|
||||||
|
APPEND(select_priv);
|
||||||
|
APPEND(insert_priv);
|
||||||
|
APPEND(update_priv);
|
||||||
|
APPEND(delete_priv);
|
||||||
|
APPEND(create_priv);
|
||||||
|
APPEND(drop_priv);
|
||||||
|
APPEND(alter_priv);
|
||||||
|
APPEND(index_priv);
|
||||||
|
APPEND(create_tmp_table_priv);
|
||||||
|
APPEND(lock_tables_priv);
|
||||||
|
*end++ = ')';
|
||||||
|
*end = '\0';
|
||||||
|
|
||||||
|
#undef APPEND
|
||||||
|
|
||||||
queries[lines] = strdup(query);
|
queries[lines] = strdup(query);
|
||||||
lines++;
|
lines++;
|
||||||
if (lines >= MAX_GRANTS)
|
if (lines >= MAX_GRANTS)
|
||||||
|
@ -454,7 +520,13 @@ editperm(MYSQL *pmysql, const char *db)
|
||||||
/* now that we have checked the input for errors, we can safely
|
/* now that we have checked the input for errors, we can safely
|
||||||
delete the old grants from the database and insert the new ones. */
|
delete the old grants from the database and insert the new ones. */
|
||||||
|
|
||||||
sprintf(query, "delete from db where db='%s'", db);
|
end = strmov(query, "DELETE FROM db WHERE db = '");
|
||||||
|
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||||
|
*end++ = '\'';
|
||||||
|
*end = '\0';
|
||||||
|
#ifdef DEBUG
|
||||||
|
printf("query: %s\n", query);
|
||||||
|
#endif
|
||||||
if (mysql_query(pmysql, query))
|
if (mysql_query(pmysql, query))
|
||||||
dberror(pmysql, "Failed to delete old grants for '%s'.", db);
|
dberror(pmysql, "Failed to delete old grants for '%s'.", db);
|
||||||
|
|
||||||
|
@ -466,6 +538,7 @@ editperm(MYSQL *pmysql, const char *db)
|
||||||
#endif
|
#endif
|
||||||
if (mysql_query(pmysql, queries[i]))
|
if (mysql_query(pmysql, queries[i]))
|
||||||
dberror(pmysql, "Failed to insert grant line %d.", i + 1);
|
dberror(pmysql, "Failed to insert grant line %d.", i + 1);
|
||||||
|
free(queries[i]);
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -517,7 +590,7 @@ main(int argc, char *argv[])
|
||||||
else
|
else
|
||||||
return wrong_use("unrecognized command"); /* XXX */
|
return wrong_use("unrecognized command"); /* XXX */
|
||||||
|
|
||||||
/* all other than show requires at lease one DATABASE argument. */
|
/* all other than show requires at least one DATABASE argument. */
|
||||||
if ((command != c_show) && (argc < 3))
|
if ((command != c_show) && (argc < 3))
|
||||||
return wrong_use(NULL);
|
return wrong_use(NULL);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue