sharpetronics/QGIS
1
0
Fork 0
mirror of https://github.com/qgis/QGIS.git synced 2025-03-01 00:46:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

Prevent SQL injection by using sqlite3_mprintf

Browse Source
This commit is contained in:
Alessandro Pasotti 2017-08-17 20:31:44 +02:00
parent b46c9c3424
commit bcd495c693
1 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/providers/ogr/qgsgeopackagedataitems.cpp
View File

@ -514,7 +514,7 @@ void QgsGeoPackageAbstractLayerItem::deleteLayer()
}
else
{
QMessageBox::information( nullptr, tr( "Delete Layer" ), tr( "Layer deleted successfully." ) );
QMessageBox::information( nullptr, tr( "Delete Layer" ), tr( "Layer <b>%1</b> deleted successfully." ).arg( mName ) );
if ( mParent )
mParent->refresh();
}
@ -577,19 +577,24 @@ bool QgsGeoPackageRasterLayerItem::executeDeleteLayer( QString &errCause )
else
{
// Remove table
QString sql;
char *errmsg = NULL;
sql = QStringLiteral( "DROP table %1;"
"DELETE FROM gpkg_contents WHERE table_name = '%1';"
"DELETE FROM gpkg_tile_matrix WHERE table_name = '%1';"
"DELETE FROM gpkg_tile_matrix_set WHERE table_name = '%1';" ).arg( layerName );
char *sql = sqlite3_mprintf(
"DROP table %w;"
"DELETE FROM gpkg_contents WHERE table_name = '%q';"
"DELETE FROM gpkg_tile_matrix WHERE table_name = '%q';"
"DELETE FROM gpkg_tile_matrix_set WHERE table_name = '%q';",
layerName.toUtf8().constData(),
layerName.toUtf8().constData(),
layerName.toUtf8().constData(),
layerName.toUtf8().constData() );
status = sqlite3_exec(
handle, /* An open database */
sql.toUtf8().constData(), /* SQL to be evaluated */
sql, /* SQL to be evaluated */
NULL, /* Callback function */
NULL, /* 1st argument to callback */
&errmsg /* Error msg written here */
);
sqlite3_free( sql );
if ( status == SQLITE_OK )
{
result = true;