Fix possibility for SQL injection attack.
authorMartín Ferrari <tincho@tincho.org>
Sun, 27 Aug 2017 22:05:04 +0000 (00:05 +0200)
committerPhilipp Spitzer <philipp@spitzer.priv.at>
Wed, 30 Aug 2017 17:44:17 +0000 (19:44 +0200)
src/mvc/track.cpp

index 1c563d6..139b199 100644 (file)
@@ -40,10 +40,16 @@ int Track::insert()
 {
     QSqlQuery query;
     QString trackname = name();
-    query.prepare("INSERT INTO " + sTableName + " (" + CONFERENCEID + "," + NAME + ")" + " VALUES " + "(\"" + QString::number(conferenceid()) + "\",\"" + trackname + "\")");
+    query.prepare(
+            QString("INSERT INTO %1 (%2, %3) VALUES (:xid_conference, :name)")
+            .arg(sTableName, CONFERENCEID, NAME));
+    query.bindValue(":xid_conference", conferenceid());
+    query.bindValue(":name", trackname);
     if (!query.exec())
     {
-        throw TrackInsertException("Inserting track '" + trackname + "' into database failed.");
+        throw TrackInsertException(
+                "Inserting track '" + trackname + "' into database failed: " +
+                query.lastError().text());
     }
     QVariant variant = query.lastInsertId();
     if (variant.isValid())