Skip to content
Permalink
Browse files

Prevent SQL injection by using sqlite3_mprintf

  • Loading branch information
elpaso committed Aug 17, 2017
1 parent b46c9c3 commit bcd495c693b5c3126c2a382a445007f9545b02b2
Showing with 12 additions and 7 deletions.
  1. +12 −7 src/providers/ogr/qgsgeopackagedataitems.cpp
@@ -514,7 +514,7 @@ void QgsGeoPackageAbstractLayerItem::deleteLayer()
}
else
{
QMessageBox::information( nullptr, tr( "Delete Layer" ), tr( "Layer deleted successfully." ) );
QMessageBox::information( nullptr, tr( "Delete Layer" ), tr( "Layer <b>%1</b> deleted successfully." ).arg( mName ) );
if ( mParent )
mParent->refresh();
}
@@ -577,19 +577,24 @@ bool QgsGeoPackageRasterLayerItem::executeDeleteLayer( QString &errCause )
else
{
// Remove table
QString sql;
char *errmsg = NULL;
sql = QStringLiteral( "DROP table %1;"
"DELETE FROM gpkg_contents WHERE table_name = '%1';"
"DELETE FROM gpkg_tile_matrix WHERE table_name = '%1';"
"DELETE FROM gpkg_tile_matrix_set WHERE table_name = '%1';" ).arg( layerName );
char *sql = sqlite3_mprintf(
"DROP table %w;"
"DELETE FROM gpkg_contents WHERE table_name = '%q';"
"DELETE FROM gpkg_tile_matrix WHERE table_name = '%q';"
"DELETE FROM gpkg_tile_matrix_set WHERE table_name = '%q';",
layerName.toUtf8().constData(),
layerName.toUtf8().constData(),
layerName.toUtf8().constData(),
layerName.toUtf8().constData() );
status = sqlite3_exec(
handle, /* An open database */
sql.toUtf8().constData(), /* SQL to be evaluated */
sql, /* SQL to be evaluated */
NULL, /* Callback function */
NULL, /* 1st argument to callback */
&errmsg /* Error msg written here */
);
sqlite3_free( sql );
if ( status == SQLITE_OK )
{
result = true;

0 comments on commit bcd495c

Please sign in to comment.
You can’t perform that action at this time.