Changeset 15849

Show
Ignore:
Timestamp:
04.06.2008 14:14:48 (12 years ago)
Author:
mdewsnip
Message:

(Adding new DB support) Adding a "sqlite_safe()" function for escaping any single quotes in values going into SQL statements, and applied this everywhere it might be required.

Location:
gsdl/trunk/lib
Files:
2 modified

Legend:

Unmodified
Added
Removed
  • gsdl/trunk/lib/sqlitedbclass.cpp

    r15836 r15849  
    9393void sqlitedbclass::deletekey (const text_t &key) 
    9494{ 
    95   text_t sql_cmd = "DELETE FROM data WHERE key='" + key + "'"; 
     95  text_t sql_cmd = "DELETE FROM data WHERE key='" + sqlite_safe(key) + "'"; 
    9696  sqlexec(sql_cmd); 
    9797} 
     
    116116  { 
    117117    // No sorting required 
    118     sql_cmd = "SELECT docOID FROM document_metadata WHERE element='" + metadata_element_name + "' AND value='" + metadata_value + "'"; 
     118    sql_cmd = "SELECT docOID FROM document_metadata WHERE element='" + sqlite_safe(metadata_element_name) + "' AND value='" + sqlite_safe(metadata_value) + "'"; 
    119119  } 
    120120  else 
     
    122122    // Sort the documents by a certain metadata element 
    123123    // John Thompson thinks this may not be the most efficient solution, and recommends using ON instead of WHERE 
    124     sql_cmd = "SELECT b.docOID FROM document_metadata AS a LEFT JOIN document_metadata AS b USING (docOID) WHERE a.element='" + metadata_element_name + "' AND a.value='" + metadata_value + "' AND b.element='" + sort_by_metadata_element_name + "' ORDER BY b.value"; 
     124    sql_cmd = "SELECT b.docOID FROM document_metadata AS a LEFT JOIN document_metadata AS b USING (docOID) WHERE a.element='" + sqlite_safe(metadata_element_name) + "' AND a.value='" + sqlite_safe(metadata_value) + "' AND b.element='" + sqlite_safe(sort_by_metadata_element_name) + "' ORDER BY b.value"; 
    125125  } 
    126126  vector<text_tmap> sql_results; 
     
    153153bool sqlitedbclass::getkeydata (const text_t& key, text_t &data) 
    154154{ 
    155   text_t sql_cmd = "SELECT value FROM data WHERE key='" + key + "'"; 
     155  text_t sql_cmd = "SELECT value FROM data WHERE key='" + sqlite_safe(key) + "'"; 
    156156  vector<text_tmap> sql_results; 
    157157  if (!sqlgetarray(sql_cmd, sql_results) || sql_results.size() == 0) 
     
    204204 
    205205  // Get the entries in the "document_metadata" table where the element matches that specified 
    206   text_t sql_cmd = "SELECT value FROM document_metadata WHERE element='" + metadata_element_name + "'"; 
     206  text_t sql_cmd = "SELECT value FROM document_metadata WHERE element='" + sqlite_safe(metadata_element_name) + "'"; 
    207207  vector<text_tmap> sql_results; 
    208208  if (!sqlgetarray(sql_cmd, sql_results) || sql_results.size() == 0) 
     
    235235  else 
    236236  { 
    237     text_t sql_cmd = "UPDATE data SET value='" + data + "' WHERE key='" + key + "'"; 
     237    text_t sql_cmd = "UPDATE data SET value='" + sqlite_safe(data) + "' WHERE key='" + sqlite_safe(key) + "'"; 
    238238    return sqlexec(sql_cmd); 
    239239  } 
     
    253253  usleep(m); 
    254254#endif 
     255} 
     256 
     257 
     258text_t sqlitedbclass::sqlite_safe (const text_t &value_arg) 
     259{ 
     260  text_t value = value_arg; 
     261  value.replace("'", "''"); 
     262  return value; 
    255263} 
    256264 
     
    346354bool sqlitedbclass::sqltableexists(const text_t &table_name) 
    347355{ 
    348   text_t sql_cmd = "SELECT * FROM sqlite_master WHERE tbl_name='" + table_name + "'"; 
     356  text_t sql_cmd = "SELECT * FROM sqlite_master WHERE tbl_name='" + sqlite_safe(table_name) + "'"; 
    349357  vector<text_tmap> sql_results; 
    350358  if (!sqlgetarray(sql_cmd, sql_results) || sql_results.size() == 0) 
  • gsdl/trunk/lib/sqlitedbclass.h

    r15836 r15849  
    6969  sqlite3* sqlitefile; 
    7070 
     71  text_t sqlite_safe (const text_t &value_arg); 
     72 
    7173  bool sqlexec (const text_t &sql_cmd); 
    7274  bool sqlgetarray (const text_t &sql_cmd, vector<text_tmap> &sql_results);