Bruker mysql_real_escape_string på alle spørringer
This commit is contained in:
parent
34bb77eca7
commit
59e7d4782e
127
mysql-dbadm.c
127
mysql-dbadm.c
|
@ -1,11 +1,13 @@
|
|||
/*
|
||||
* @(#) $Header: /tmp/cvs/mysql-admutils/mysql-dbadm.c,v 1.21 2007-06-07 11:43:52 geirha Exp $
|
||||
* @(#) $Header: /home/stud/admin/cvs/mysql-admutils/mysql-dbadm.c,v 1.20 2007/06/04 08:40:54 geirha Exp $
|
||||
*
|
||||
* mysql-dbadm.c
|
||||
*
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
#include "config.h"
|
||||
#include "mysql-admutils.h"
|
||||
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <mysql.h>
|
||||
|
@ -16,12 +18,18 @@
|
|||
#include <grp.h>
|
||||
#include <sys/types.h>
|
||||
#include <unistd.h>
|
||||
#include "mysql-admutils.h"
|
||||
|
||||
/* New database names may only use these characters in their identifier */
|
||||
const char dbname_validchars[] =
|
||||
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_-";
|
||||
|
||||
/* same as strcpy, but returns a pointer to the end of dest instead of start */
|
||||
char *strmov(char *dest, const char *src) {
|
||||
while ((*dest++ = *src++))
|
||||
;
|
||||
return dest-1;
|
||||
}
|
||||
|
||||
/* Returns true if dbname contains only characters in dbname_validchars. */
|
||||
int dbname_isclean(char* dbname) {
|
||||
int reallen, cleanlen;
|
||||
|
@ -138,8 +146,14 @@ create(MYSQL *pmysql, char *db)
|
|||
}
|
||||
mysql_select_db(pmysql, "mysql");
|
||||
// oppretter databasen.
|
||||
char query[1024];
|
||||
sprintf(query, "create database `%s`", db);
|
||||
char query[1024], *end;
|
||||
end = strmov(query, "CREATE DATABASE `");
|
||||
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||
*end++ = '`';
|
||||
*end = '\0';
|
||||
#ifdef DEBUG
|
||||
printf("query: %s\n", query);
|
||||
#endif
|
||||
if (mysql_query(pmysql, query))
|
||||
return dberror(pmysql, "Cannot create database '%s'.", db);
|
||||
fprintf(stderr, "Database '%s' created.\n", db);
|
||||
|
@ -150,9 +164,16 @@ create(MYSQL *pmysql, char *db)
|
|||
int
|
||||
drop(MYSQL *pmysql, char *db)
|
||||
{
|
||||
char query[1024];
|
||||
char query[1024], *end;
|
||||
|
||||
sprintf(query, "delete from db where db = '%s'", db);
|
||||
end = strmov(query, "DELETE FROM db WHERE db = '");
|
||||
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||
*end++ = '\'';
|
||||
*end = '\0';
|
||||
|
||||
#ifdef DEBUG
|
||||
printf("query: %s\n", query);
|
||||
#endif
|
||||
if (mysql_query(pmysql, query))
|
||||
dberror(pmysql, "Failed to delete permissions for database '%s'.", db);
|
||||
|
||||
|
@ -162,7 +183,14 @@ drop(MYSQL *pmysql, char *db)
|
|||
}
|
||||
mysql_select_db(pmysql, "mysql");
|
||||
|
||||
sprintf(query, "drop database `%s`", db);
|
||||
end = strmov(query, "DROP DATABASE `");
|
||||
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||
*end++ = '`';
|
||||
*end = '\0';
|
||||
|
||||
#ifdef DEBUG
|
||||
printf("query: %s\n", query);
|
||||
#endif
|
||||
if (mysql_query(pmysql, query))
|
||||
return dberror(pmysql, "Cannot drop database '%s'.", db);
|
||||
|
||||
|
@ -246,8 +274,7 @@ list(MYSQL *pmysql)
|
|||
|
||||
|
||||
free(wild);
|
||||
free(res);
|
||||
free(cp_kopi);
|
||||
mysql_free_result(res);
|
||||
cp++;
|
||||
}
|
||||
|
||||
|
@ -272,6 +299,7 @@ list(MYSQL *pmysql)
|
|||
dblist[counter++] = strdup(row[0]);
|
||||
}
|
||||
}
|
||||
mysql_free_result(res);
|
||||
|
||||
res = mysql_list_dbs(pmysql, p->pw_name);
|
||||
rows = mysql_num_rows(res);
|
||||
|
@ -280,7 +308,10 @@ list(MYSQL *pmysql)
|
|||
|
||||
dblist[counter] = NULL;
|
||||
|
||||
mysql_free_result(res);
|
||||
free(wild);
|
||||
for (i=0;i<numgroups;i++)
|
||||
free(usr_groups[i]);
|
||||
free(usr_groups);
|
||||
return dblist;
|
||||
}
|
||||
|
@ -289,15 +320,23 @@ list(MYSQL *pmysql)
|
|||
int
|
||||
writeperm(FILE *f, MYSQL *pmysql, const char *db)
|
||||
{
|
||||
char query[1024];
|
||||
char query[2048], *end;
|
||||
MYSQL_RES *res;
|
||||
int rows, i;
|
||||
MYSQL_ROW row;
|
||||
|
||||
sprintf(query, "select user,select_priv,insert_priv,update_priv,"
|
||||
"delete_priv,create_priv,drop_priv,alter_priv,index_priv,"
|
||||
"create_tmp_table_priv,lock_tables_priv from db where db='%s'", db);
|
||||
end = strmov(query, "SELECT user,select_priv,insert_priv,update_priv,"
|
||||
"delete_priv,create_priv,drop_priv,"
|
||||
"alter_priv,index_priv,"
|
||||
"create_tmp_table_priv,lock_tables_priv "
|
||||
"FROM db WHERE db = '");
|
||||
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||
*end++ = '\'';
|
||||
*end = '\0';
|
||||
|
||||
#ifdef DEBUG
|
||||
printf("query: %s\n", query);
|
||||
#endif
|
||||
if (mysql_query(pmysql, query))
|
||||
return dberror(pmysql, "Query for permissions failed.");
|
||||
res = mysql_store_result(pmysql);
|
||||
|
@ -318,7 +357,7 @@ writeperm(FILE *f, MYSQL *pmysql, const char *db)
|
|||
row[0], row[1], row[2], row[3], row[4], row[5], row[6], row[7], row[8], row[9], row[10]);
|
||||
}
|
||||
}
|
||||
free(res);
|
||||
mysql_free_result(res);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -349,17 +388,17 @@ editperm(MYSQL *pmysql, const char *db)
|
|||
char *user, *select_priv, *insert_priv, *update_priv, *delete_priv,
|
||||
*create_priv, *drop_priv, *alter_priv, *index_priv, *create_tmp_table_priv,
|
||||
*lock_tables_priv;
|
||||
char query[1024]; /* used to build a query */
|
||||
char query[4096], *end; /* used to build a query */
|
||||
char *queries[MAX_GRANTS]; /* insert queries */
|
||||
int lines; /* number of grant lines processed */
|
||||
int i; /* iterate through lines[] */
|
||||
|
||||
mkstemp(fn);
|
||||
int fd = mkstemp(fn);
|
||||
|
||||
if (strcmp(fn, "") == 0)
|
||||
if (fd == -1)
|
||||
return dberror(NULL, "Cannot create a unique temporary file name.");
|
||||
|
||||
f = fopen(fn, "w");
|
||||
f = fdopen(fd, "w");
|
||||
if (f == NULL)
|
||||
return dberror(NULL, "Failed to open temporary file %s.", fn);
|
||||
writeperm(f, pmysql, db);
|
||||
|
@ -432,12 +471,39 @@ editperm(MYSQL *pmysql, const char *db)
|
|||
#undef STRTOK_WHITESPACE
|
||||
#undef CHECK_PRIV
|
||||
|
||||
sprintf(query, "insert into db (host, db, user, select_priv, insert_priv, "
|
||||
"update_priv, delete_priv, create_priv, drop_priv, alter_priv, index_priv, "
|
||||
"create_tmp_table_priv, lock_tables_priv) values "
|
||||
"('%%', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')",
|
||||
db, user, select_priv, insert_priv, update_priv, delete_priv,
|
||||
create_priv, drop_priv, alter_priv, index_priv, create_tmp_table_priv, lock_tables_priv);
|
||||
end = strmov(query, "INSERT INTO db ("
|
||||
"host,db,user,select_priv,insert_priv,"
|
||||
"update_priv,delete_priv,create_priv,"
|
||||
"drop_priv,alter_priv,index_priv,"
|
||||
"create_tmp_table_priv,lock_tables_priv"
|
||||
") VALUES (");
|
||||
|
||||
end = strmov(end, "'%'");
|
||||
|
||||
#define APPEND(VAR) {\
|
||||
*end++ = ',';\
|
||||
*end++ = '\'';\
|
||||
end += mysql_real_escape_string(pmysql, end, VAR, strlen(VAR));\
|
||||
*end++ = '\'';\
|
||||
}
|
||||
|
||||
APPEND(db);
|
||||
APPEND(user);
|
||||
APPEND(select_priv);
|
||||
APPEND(insert_priv);
|
||||
APPEND(update_priv);
|
||||
APPEND(delete_priv);
|
||||
APPEND(create_priv);
|
||||
APPEND(drop_priv);
|
||||
APPEND(alter_priv);
|
||||
APPEND(index_priv);
|
||||
APPEND(create_tmp_table_priv);
|
||||
APPEND(lock_tables_priv);
|
||||
*end++ = ')';
|
||||
*end = '\0';
|
||||
|
||||
#undef APPEND
|
||||
|
||||
queries[lines] = strdup(query);
|
||||
lines++;
|
||||
if (lines >= MAX_GRANTS)
|
||||
|
@ -454,7 +520,13 @@ editperm(MYSQL *pmysql, const char *db)
|
|||
/* now that we have checked the input for errors, we can safely
|
||||
delete the old grants from the database and insert the new ones. */
|
||||
|
||||
sprintf(query, "delete from db where db='%s'", db);
|
||||
end = strmov(query, "DELETE FROM db WHERE db = '");
|
||||
end += mysql_real_escape_string(pmysql, end, db, strlen(db));
|
||||
*end++ = '\'';
|
||||
*end = '\0';
|
||||
#ifdef DEBUG
|
||||
printf("query: %s\n", query);
|
||||
#endif
|
||||
if (mysql_query(pmysql, query))
|
||||
dberror(pmysql, "Failed to delete old grants for '%s'.", db);
|
||||
|
||||
|
@ -466,6 +538,7 @@ editperm(MYSQL *pmysql, const char *db)
|
|||
#endif
|
||||
if (mysql_query(pmysql, queries[i]))
|
||||
dberror(pmysql, "Failed to insert grant line %d.", i + 1);
|
||||
free(queries[i]);
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
@ -517,7 +590,7 @@ main(int argc, char *argv[])
|
|||
else
|
||||
return wrong_use("unrecognized command"); /* XXX */
|
||||
|
||||
/* all other than show requires at lease one DATABASE argument. */
|
||||
/* all other than show requires at least one DATABASE argument. */
|
||||
if ((command != c_show) && (argc < 3))
|
||||
return wrong_use(NULL);
|
||||
|
||||
|
|
Loading…
Reference in New Issue