Fix possibility for SQL injection attack.

author Martín Ferrari <tincho@tincho.org>

Sun, 27 Aug 2017 22:05:04 +0000 (00:05 +0200)

committer Philipp Spitzer <philipp@spitzer.priv.at>

Wed, 30 Aug 2017 17:44:17 +0000 (19:44 +0200)
author Martín Ferrari <tincho@tincho.org>
Sun, 27 Aug 2017 22:05:04 +0000 (00:05 +0200)
committer Philipp Spitzer <philipp@spitzer.priv.at>
Wed, 30 Aug 2017 17:44:17 +0000 (19:44 +0200)
diff --git a/src/mvc/track.cpp b/src/mvc/track.cpp

index 1c563d61f167d25d5244eff6801c02bb256fd010..139b1990798034fa7de249e66c429dab04df4212 100644 (file)
--- a/src/mvc/track.cpp
+++ b/src/mvc/track.cpp
@@ -40,10 +40,16 @@ int Track::insert()
  {
      QSqlQuery query;
      QString trackname = name();
-    query.prepare("INSERT INTO " + sTableName + " (" + CONFERENCEID + "," + NAME + ")" + " VALUES " + "(\"" + QString::number(conferenceid()) + "\",\"" + trackname + "\")");
+    query.prepare(
+            QString("INSERT INTO %1 (%2, %3) VALUES (:xid_conference, :name)")
+            .arg(sTableName, CONFERENCEID, NAME));
+    query.bindValue(":xid_conference", conferenceid());
+    query.bindValue(":name", trackname);
      if (!query.exec())
      {
-        throw TrackInsertException("Inserting track '" + trackname + "' into database failed.");
+        throw TrackInsertException(
+                "Inserting track '" + trackname + "' into database failed: " +
+                query.lastError().text());
      }
      QVariant variant = query.lastInsertId();
      if (variant.isValid())
author	Martín Ferrari <tincho@tincho.org>
	Sun, 27 Aug 2017 22:05:04 +0000 (00:05 +0200)
committer	Philipp Spitzer <philipp@spitzer.priv.at>
	Wed, 30 Aug 2017 17:44:17 +0000 (19:44 +0200)