Skip to content
Permalink
Browse files Browse the repository at this point in the history
Use parametetrized SQL statement
Move to parametetrized SQL statement allows using chars like "'" in
notes and also avoid sql injection
  • Loading branch information
Omer Dagan committed Mar 3, 2022
1 parent cc5aa18 commit 7a7d737
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 6 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG
Expand Up @@ -85,3 +85,6 @@ CHANGES:
<mr.omer.dagan <at> gmail.com>)
- remove variable definitions in header file that caused issues
with gcc 10
0.3.10
- Move to parametetrized SQL statement allows using chars like "'"
in notes, and also avoid sql injection
28 changes: 23 additions & 5 deletions src/db.c
Expand Up @@ -285,18 +285,36 @@ int db_update(char* name, char* value)
* if it's meant to be encrypted, then crypt_key will be set */
if (crypt_key) {
value = note_encrypt(value,crypt_key);
r = asprintf(&sql, "UPDATE nodau set text='%s' , encrypted='true' WHERE name='%s'", value, name);
free(value);
if (r < 0)
if (asprintf(&sql, "UPDATE nodau set text=?, encrypted='true' WHERE name=?") < 0)
return 1;
}else{
if (asprintf(&sql, "UPDATE nodau set text='%s' , encrypted='false' WHERE name='%s'", value, name) < 0)
if (asprintf(&sql, "UPDATE nodau set text=?, encrypted='false' WHERE name=?") < 0)
return 1;
}

sqlite3_stmt *compiled_statement;
r = sqlite3_prepare_v2(db_data.db, sql, -1, &compiled_statement, NULL);
if (r != SQLITE_OK)
return 1;

r= sqlite3_bind_text(compiled_statement, 1, value, -1, NULL);
r= sqlite3_bind_text(compiled_statement, 2, name, -1, NULL);
if (r != SQLITE_OK)
return 1;

/* do it */
r = sqlite3_exec(db_data.db, sql, NULL, 0, &db_data.error_msg);
r = sqlite3_step(compiled_statement);
if (r != SQLITE_DONE) {
fprintf(stderr, "Error #%d: %s\n", r, db_err());
return 1;
}
r = sqlite3_finalize(compiled_statement);
if (r != SQLITE_OK)
fprintf(stderr, "Error #%d: %s\n", r, db_err());

free(sql);
if (crypt_key)
free(value);
return r;
}

Expand Down
3 changes: 2 additions & 1 deletion src/edit.c
Expand Up @@ -193,7 +193,8 @@ static int edit_ext(char* editor, char* name, char* date, char* data)
if (l) {
/* save the note */
l += 6;
if (db_update(name,l))
int r = db_update(name,l);
if (r != SQLITE_DONE && r != SQLITE_OK)
return 1;

/* let the user know */
Expand Down

0 comments on commit 7a7d737

Please sign in to comment.