080a160c7b9595d516c9c70e83689a09b60839d0 galt Mon Jun 3 12:16:53 2013 -0700 fix SQL Injection diff --git src/hg/hgLogin/gbMembers.c src/hg/hgLogin/gbMembers.c index 87d5b6d..29f3295 100644 --- src/hg/hgLogin/gbMembers.c +++ src/hg/hgLogin/gbMembers.c @@ -44,82 +44,39 @@ while ((row = sqlNextRow(sr)) != NULL) { el = gbMembersLoad(row); slAddHead(&list, el); } slReverse(&list); sqlFreeResult(&sr); return list; } void gbMembersSaveToDb(struct sqlConnection *conn, struct gbMembers *el, char *tableName, int updateSize) /* Save gbMembers as a row to the table specified by tableName. * As blob fields may be arbitrary size updateSize specifies the approx size * of a string that would contain the entire query. Arrays of native types are * converted to comma separated strings and loaded as such, User defined types are - * inserted as NULL. Note that strings must be escaped to allow insertion into the database. - * For example "autosql's features include" --> "autosql\'s features include" - * If worried about this use gbMembersSaveToDbEscaped() */ + * inserted as NULL. Strings are automatically escaped to allow insertion into the database. */ { struct dyString *update = newDyString(updateSize); -dyStringPrintf(update, "insert into %s values ( %u,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", +sqlDyStringPrintf(update, "insert into %s values ( %u,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", tableName, el->idx, el->userName, el->realName, el->password, el->email, el->lastUse, el->newPassword, el->newPasswordExpire, el->dateActivated, el->emailToken, el->emailTokenExpires, el->passwordChangeRequired, el->accountActivated); sqlUpdate(conn, update->string); freeDyString(&update); } -void gbMembersSaveToDbEscaped(struct sqlConnection *conn, struct gbMembers *el, char *tableName, int updateSize) -/* Save gbMembers as a row to the table specified by tableName. - * As blob fields may be arbitrary size updateSize specifies the approx size. - * of a string that would contain the entire query. Automatically - * escapes all simple strings (not arrays of string) but may be slower than gbMembersSaveToDb(). - * For example automatically copies and converts: - * "autosql's features include" --> "autosql\'s features include" - * before inserting into database. */ -{ -struct dyString *update = newDyString(updateSize); -char *userName, *realName, *password, *email, *lastUse, *newPassword, *newPasswordExpire, *dateActivated, *emailToken, *emailTokenExpires, *passwordChangeRequired, *accountActivated; -userName = sqlEscapeString(el->userName); -realName = sqlEscapeString(el->realName); -password = sqlEscapeString(el->password); -email = sqlEscapeString(el->email); -lastUse = sqlEscapeString(el->lastUse); -newPassword = sqlEscapeString(el->newPassword); -newPasswordExpire = sqlEscapeString(el->newPasswordExpire); -dateActivated = sqlEscapeString(el->dateActivated); -emailToken = sqlEscapeString(el->emailToken); -emailTokenExpires = sqlEscapeString(el->emailTokenExpires); -passwordChangeRequired = sqlEscapeString(el->passwordChangeRequired); -accountActivated = sqlEscapeString(el->accountActivated); - -dyStringPrintf(update, "insert into %s values ( %u,'%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", - tableName, el->idx, userName, realName, password, email, lastUse, newPassword, newPasswordExpire, dateActivated, emailToken, emailTokenExpires, passwordChangeRequired, accountActivated); -sqlUpdate(conn, update->string); -freeDyString(&update); -freez(&userName); -freez(&realName); -freez(&password); -freez(&email); -freez(&lastUse); -freez(&newPassword); -freez(&newPasswordExpire); -freez(&dateActivated); -freez(&emailToken); -freez(&emailTokenExpires); -freez(&passwordChangeRequired); -freez(&accountActivated); -} struct gbMembers *gbMembersLoad(char **row) /* Load a gbMembers from row fetched with select * from gbMembers * from database. Dispose of this with gbMembersFree(). */ { struct gbMembers *ret; AllocVar(ret); ret->idx = sqlUnsigned(row[0]); ret->userName = cloneString(row[1]); ret->realName = cloneString(row[2]); ret->password = cloneString(row[3]); ret->email = cloneString(row[4]); ret->lastUse = cloneString(row[5]); ret->newPassword = cloneString(row[6]);