Projects/mysql-admutils
Projects
/
mysql-admutils
13
0
Fork 0
Code Issues Pull Requests Activity

Bruker mysql_real_escape_string på alle spørringer

This commit is contained in:
Geir Hauge 2012-11-30 13:46:41 +00:00
parent 34bb77eca7
commit 59e7d4782e
1 changed files with 102 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

131
mysql-dbadm.c
View File

@ -1,11 +1,13 @@
/* /*
* @(#) $Header: /tmp/cvs/mysql-admutils/mysql-dbadm.c,v 1.21 2007-06-07 11:43:52 geirha Exp $ * @(#) $Header: /home/stud/admin/cvs/mysql-admutils/mysql-dbadm.c,v 1.20 2007/06/04 08:40:54 geirha Exp $
* *
* mysql-dbadm.c * mysql-dbadm.c
* *
*/ */
#include <config.h> #include "config.h"
#include "mysql-admutils.h"
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
#include <mysql.h> #include <mysql.h>
@ -16,12 +18,18 @@
#include <grp.h> #include <grp.h>
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
#include "mysql-admutils.h"
/* New database names may only use these characters in their identifier */ /* New database names may only use these characters in their identifier */
const char dbname_validchars[] = const char dbname_validchars[] =
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-"; "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
/* same as strcpy, but returns a pointer to the end of dest instead of start */
char *strmov(char *dest, const char *src) {
while ((*dest++ = *src++))
;
return dest-1;
}
/* Returns true if dbname contains only characters in dbname_validchars. */ /* Returns true if dbname contains only characters in dbname_validchars. */
int dbname_isclean(char* dbname) { int dbname_isclean(char* dbname) {
int reallen, cleanlen; int reallen, cleanlen;
@ -65,12 +73,12 @@ int
valid_priv(const char *s) valid_priv(const char *s)
{ {
if (s == NULL) return 0; if (s == NULL) return 0;
#define ACCEPT(x) if (strcmp(s, x) == 0) return 1 #define ACCEPT(x) if (strcmp(s, x) == 0) return 1
ACCEPT("Y"); ACCEPT("Y");
ACCEPT("N"); ACCEPT("N");
ACCEPT("y"); ACCEPT("y");
ACCEPT("n"); ACCEPT("n");
#undef ACCEPT #undef ACCEPT
return 0; /* not a valid priv */ return 0; /* not a valid priv */
} }
@ -138,8 +146,14 @@ create(MYSQL *pmysql, char *db)
} }
mysql_select_db(pmysql, "mysql"); mysql_select_db(pmysql, "mysql");
// oppretter databasen. // oppretter databasen.
char query[1024]; char query[1024], *end;
sprintf(query, "create database `%s`", db); end = strmov(query, "CREATE DATABASE `");
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
*end++ = '`';
*end = '\0';
#ifdef DEBUG
printf("query: %s\n", query);
#endif
if (mysql_query(pmysql, query)) if (mysql_query(pmysql, query))
return dberror(pmysql, "Cannot create database '%s'.", db); return dberror(pmysql, "Cannot create database '%s'.", db);
fprintf(stderr, "Database '%s' created.\n", db); fprintf(stderr, "Database '%s' created.\n", db);
@ -150,9 +164,16 @@ create(MYSQL *pmysql, char *db)
int int
drop(MYSQL *pmysql, char *db) drop(MYSQL *pmysql, char *db)
{ {
char query[1024]; char query[1024], *end;
sprintf(query, "delete from db where db = '%s'", db); end = strmov(query, "DELETE FROM db WHERE db = '");
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
*end++ = '\'';
*end = '\0';
#ifdef DEBUG
printf("query: %s\n", query);
#endif
if (mysql_query(pmysql, query)) if (mysql_query(pmysql, query))
dberror(pmysql, "Failed to delete permissions for database '%s'.", db); dberror(pmysql, "Failed to delete permissions for database '%s'.", db);
@ -162,7 +183,14 @@ drop(MYSQL *pmysql, char *db)
} }
mysql_select_db(pmysql, "mysql"); mysql_select_db(pmysql, "mysql");
sprintf(query, "drop database `%s`", db); end = strmov(query, "DROP DATABASE `");
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
*end++ = '`';
*end = '\0';
#ifdef DEBUG
printf("query: %s\n", query);
#endif
if (mysql_query(pmysql, query)) if (mysql_query(pmysql, query))
return dberror(pmysql, "Cannot drop database '%s'.", db); return dberror(pmysql, "Cannot drop database '%s'.", db);
@ -246,8 +274,7 @@ list(MYSQL *pmysql)
free(wild); free(wild);
free(res); mysql_free_result(res);
free(cp_kopi);
cp++; cp++;
} }
@ -272,6 +299,7 @@ list(MYSQL *pmysql)
dblist[counter++] = strdup(row[0]); dblist[counter++] = strdup(row[0]);
} }
} }
mysql_free_result(res);
res = mysql_list_dbs(pmysql, p->pw_name); res = mysql_list_dbs(pmysql, p->pw_name);
rows = mysql_num_rows(res); rows = mysql_num_rows(res);
@ -280,7 +308,10 @@ list(MYSQL *pmysql)
dblist[counter] = NULL; dblist[counter] = NULL;
mysql_free_result(res);
free(wild); free(wild);
for (i=0;i<numgroups;i++)
free(usr_groups[i]);
free(usr_groups); free(usr_groups);
return dblist; return dblist;
} }
@ -289,15 +320,23 @@ list(MYSQL *pmysql)
int int
writeperm(FILE *f, MYSQL *pmysql, const char *db) writeperm(FILE *f, MYSQL *pmysql, const char *db)
{ {
char query[1024]; char query[2048], *end;
MYSQL_RES *res; MYSQL_RES *res;
int rows, i; int rows, i;
MYSQL_ROW row; MYSQL_ROW row;
sprintf(query, "select user,select_priv,insert_priv,update_priv," end = strmov(query, "SELECT user,select_priv,insert_priv,update_priv,"
"delete_priv,create_priv,drop_priv,alter_priv,index_priv," "delete_priv,create_priv,drop_priv,"
"create_tmp_table_priv,lock_tables_priv from db where db='%s'", db); "alter_priv,index_priv,"
"create_tmp_table_priv,lock_tables_priv "
"FROM db WHERE db = '");
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
*end++ = '\'';
*end = '\0';
#ifdef DEBUG
printf("query: %s\n", query);
#endif
if (mysql_query(pmysql, query)) if (mysql_query(pmysql, query))
return dberror(pmysql, "Query for permissions failed."); return dberror(pmysql, "Query for permissions failed.");
res = mysql_store_result(pmysql); res = mysql_store_result(pmysql);
@ -318,7 +357,7 @@ writeperm(FILE *f, MYSQL *pmysql, const char *db)
row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10]); row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10]);
} }
} }
free(res); mysql_free_result(res);
return 0; return 0;
} }
@ -349,17 +388,17 @@ editperm(MYSQL *pmysql, const char *db)
char *user, *select_priv, *insert_priv, *update_priv, *delete_priv, char *user, *select_priv, *insert_priv, *update_priv, *delete_priv,
*create_priv, *drop_priv, *alter_priv, *index_priv, *create_tmp_table_priv, *create_priv, *drop_priv, *alter_priv, *index_priv, *create_tmp_table_priv,
*lock_tables_priv; *lock_tables_priv;
char query[1024]; /* used to build a query */ char query[4096], *end; /* used to build a query */
char *queries[MAX_GRANTS]; /* insert queries */ char *queries[MAX_GRANTS]; /* insert queries */
int lines; /* number of grant lines processed */ int lines; /* number of grant lines processed */
int i; /* iterate through lines[] */ int i; /* iterate through lines[] */
mkstemp(fn); int fd = mkstemp(fn);
if (strcmp(fn, "") == 0) if (fd == -1)
return dberror(NULL, "Cannot create a unique temporary file name."); return dberror(NULL, "Cannot create a unique temporary file name.");
f = fopen(fn, "w"); f = fdopen(fd, "w");
if (f == NULL) if (f == NULL)
return dberror(NULL, "Failed to open temporary file %s.", fn); return dberror(NULL, "Failed to open temporary file %s.", fn);
writeperm(f, pmysql, db); writeperm(f, pmysql, db);
@ -432,12 +471,39 @@ editperm(MYSQL *pmysql, const char *db)
#undef STRTOK_WHITESPACE #undef STRTOK_WHITESPACE
#undef CHECK_PRIV #undef CHECK_PRIV
sprintf(query, "insert into db (host, db, user, select_priv, insert_priv, " end = strmov(query, "INSERT INTO db ("
"update_priv, delete_priv, create_priv, drop_priv, alter_priv, index_priv, " "host,db,user,select_priv,insert_priv,"
"create_tmp_table_priv, lock_tables_priv) values " "update_priv,delete_priv,create_priv,"
"('%%', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", "drop_priv,alter_priv,index_priv,"
db, user, select_priv, insert_priv, update_priv, delete_priv, "create_tmp_table_priv,lock_tables_priv"
create_priv, drop_priv, alter_priv, index_priv, create_tmp_table_priv, lock_tables_priv); ") VALUES (");
end = strmov(end, "'%'");
#define APPEND(VAR) {\
*end++ = ',';\
*end++ = '\'';\
end += mysql_real_escape_string(pmysql, end, VAR, strlen(VAR));\
*end++ = '\'';\
}
APPEND(db);
APPEND(user);
APPEND(select_priv);
APPEND(insert_priv);
APPEND(update_priv);
APPEND(delete_priv);
APPEND(create_priv);
APPEND(drop_priv);
APPEND(alter_priv);
APPEND(index_priv);
APPEND(create_tmp_table_priv);
APPEND(lock_tables_priv);
*end++ = ')';
*end = '\0';
#undef APPEND
queries[lines] = strdup(query); queries[lines] = strdup(query);
lines++; lines++;
if (lines >= MAX_GRANTS) if (lines >= MAX_GRANTS)
@ -454,7 +520,13 @@ editperm(MYSQL *pmysql, const char *db)
/* now that we have checked the input for errors, we can safely /* now that we have checked the input for errors, we can safely
delete the old grants from the database and insert the new ones. */ delete the old grants from the database and insert the new ones. */
sprintf(query, "delete from db where db='%s'", db); end = strmov(query, "DELETE FROM db WHERE db = '");
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
*end++ = '\'';
*end = '\0';
#ifdef DEBUG
printf("query: %s\n", query);
#endif
if (mysql_query(pmysql, query)) if (mysql_query(pmysql, query))
dberror(pmysql, "Failed to delete old grants for '%s'.", db); dberror(pmysql, "Failed to delete old grants for '%s'.", db);
@ -466,6 +538,7 @@ editperm(MYSQL *pmysql, const char *db)
#endif #endif
if (mysql_query(pmysql, queries[i])) if (mysql_query(pmysql, queries[i]))
dberror(pmysql, "Failed to insert grant line %d.", i + 1); dberror(pmysql, "Failed to insert grant line %d.", i + 1);
free(queries[i]);
} }
return 0; return 0;
@ -517,7 +590,7 @@ main(int argc, char *argv[])
else else
return wrong_use("unrecognized command"); /* XXX */ return wrong_use("unrecognized command"); /* XXX */
/* all other than show requires at lease one DATABASE argument. */ /* all other than show requires at least one DATABASE argument. */
if ((command != c_show) && (argc < 3)) if ((command != c_show) && (argc < 3))
return wrong_use(NULL); return wrong_use(NULL);