New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Search queries not properly escaped. #5870
Comments
Commented by: bkgood This really isn't a security issue I don't think. Remote SQL injection is always a concern on web-based projects but a user can screw up their own local database in mixxx any number of ways, including That said, this does appear to be a bug in its own right. |
Commented by: ywwg My thinking was that DJ Laptops tend to be in public areas, and I could imagine some smartass waiting until the laptop is unattended and then typing in a search query that destroys the DJ's library. |
Commented by: bkgood Could this be fixed by just subbing in the search term after the .arg calls are made? Also, this is a bit weird as the qt docs (http://doc.qt.nokia.com/latest/qstring.html#arg) say the markers must be in %[1-99], i.e., not including zero, so I'm not sure why QString::arg is subbing it out, but this bug will still be triggered by other strings beginning with numerals (if I'm understanding this correctly). |
Commented by: rryan Whoops, fixed this in Bug #905776 |
Commented by: mangelasakis There is still a serious bug. The mixxx does not import all mp3 files in the library. Perhaps this is related to the bug here and I mention this in the same section. |
Commented by: rryan Hi mangelasakis, It's not likely the two issues are related given that this bug refers to issues when using the search feature and your problem would be related to the library scanner. Could you file a separate bug please? |
Issue closed with status Fix Released. |
Reported by: ywwg
Date: 2011-04-21T03:26:38Z
Status: Fix Released
Importance: Medium
Launchpad Issue: lp768022
Search terms beginning with numbers cause problems in the query-building code of basesqltablemodel. In my case, I have a folder called "00MIXING" where I put all my mixing tracks. Searching for "00MIXING" fails, because the following query is built:
"SELECT id FROM library_view WHERE ((artist LIKE 'ORDER BY lower(library_view."datetime_added") DESCmixi%' OR album LIKE 'ORDER BY lower(library_view."datetime_added") DESCmixi%' OR location LIKE 'ORDER BY lower(library_view."datetime_added") DESCmixi%' OR comment LIKE 'ORDER BY lower(library_view."datetime_added") DESCmixi%' OR title LIKE 'ORDER BY lower(library_view."datetime_added") DESCmixi%')) %4"
For example, a proper search string, using just "MIXING", yields:
"SELECT id FROM library_view WHERE ((artist LIKE '%mixing%' OR album LIKE '%mixing%' OR location LIKE '%mixing%' OR comment LIKE '%mixing%' OR title LIKE '%mixing%')) ORDER BY lower(library_view."datetime_added") DESC"
The text was updated successfully, but these errors were encountered: