From 50c848a982342bb24953a808247c69bcedc640c1 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Mart=C3=ADn=20Ferrari?= <tincho@tincho.org>
Date: Mon, 28 Aug 2017 00:05:04 +0200
Subject: [PATCH] Fix possibility for SQL injection attack.

---
 src/mvc/track.cpp | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/mvc/track.cpp b/src/mvc/track.cpp
index 1c563d6..139b199 100644
--- a/src/mvc/track.cpp
+++ b/src/mvc/track.cpp
@@ -40,10 +40,16 @@ int Track::insert()
 {
     QSqlQuery query;
     QString trackname = name();
-    query.prepare("INSERT INTO " + sTableName + " (" + CONFERENCEID + "," + NAME + ")" + " VALUES " + "(\"" + QString::number(conferenceid()) + "\",\"" + trackname + "\")");
+    query.prepare(
+            QString("INSERT INTO %1 (%2, %3) VALUES (:xid_conference, :name)")
+            .arg(sTableName, CONFERENCEID, NAME));
+    query.bindValue(":xid_conference", conferenceid());
+    query.bindValue(":name", trackname);
     if (!query.exec())
     {
-        throw TrackInsertException("Inserting track '" + trackname + "' into database failed.");
+        throw TrackInsertException(
+                "Inserting track '" + trackname + "' into database failed: " +
+                query.lastError().text());
     }
     QVariant variant = query.lastInsertId();
     if (variant.isValid())
-- 
2.39.5