Re: [Openvas-devel] [Openvas-commits] r14637 - in trunk/openvas-manager: . src

Tue, 27 Nov 2012 12:33:20 -0800 

> Author: kroosec
> Date: 2012-11-27 20:55:02 +0100 (Tue, 27 Nov 2012)
> New Revision: 14637
>
> Modified:
>    trunk/openvas-manager/ChangeLog
>    trunk/openvas-manager/src/manage_sql.c
> Log:
> Consistently use sql_quote in modify_filter and modify_slave.
>
> Modified: trunk/openvas-manager/ChangeLog
> ===================================================================
> --- trunk/openvas-manager/ChangeLog   2012-11-27 19:41:20 UTC (rev 14636)
> +++ trunk/openvas-manager/ChangeLog   2012-11-27 19:55:02 UTC (rev 14637)
> @@ -1,5 +1,10 @@
>  2012-11-27  Hani Benhabiles <kroo...@gmail.com>
>
> +     * src/manage_sql.c (modify_filter, modify_slave): Consistently
> +     sql_quote() for quoted variables.
> +
> +2012-11-27  Hani Benhabiles <kroo...@gmail.com>
> +
>       Adding support for slave cloning.
>
>       * src/omp.c (create_slave_data_t): Added copy member.
>
> Modified: trunk/openvas-manager/src/manage_sql.c
> ===================================================================
> --- trunk/openvas-manager/src/manage_sql.c    2012-11-27 19:41:20 UTC (rev 
> 14636)
> +++ trunk/openvas-manager/src/manage_sql.c    2012-11-27 19:55:02 UTC (rev 
> 14637)
> @@ -40234,41 +40234,29 @@
>          }
>      }
>    else
> -    quoted_name = NULL;
> +    quoted_name = sql_quote("");
>
> -  quoted_comment = comment ? sql_quote (comment) : NULL;
> -  quoted_host = host ? sql_quote (host) : NULL;
> +  quoted_comment = sql_quote (comment ? comment : "");
> +  quoted_host = sql_quote (host ? host : "");
>    quoted_port = sql_quote (port ? port : "");
>    quoted_login = sql_quote (login ? login : "");
>    quoted_password = sql_quote (password ? password : "");
>
>    sql ("UPDATE slaves SET"
> -       " name = %s%s%s,"
> -       " comment = %s%s%s,"
> -       " host = %s%s%s,"
> -       " port = %s%s%s,"
> -       " login = %s%s%s,"
> -       " password = %s%s%s,"
> +       " name = %s,"
> +       " comment = %s,"
> +       " host = %s,"
> +       " port = %s,"
> +       " login = %s,"
> +       " password = %s,"

Hey, test this with a name with a space, it should abort.  The input must
be quoted, like

  +       " password = '%s',"

sql_quote just escapes the single quotes that occur within the string (e.g.
a password of "abc'de").

--
Greenbone Networks GmbH
Neuer Graben 17, 49074 Osnabrueck, Germany | AG Osnabrueck, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner
_______________________________________________
Openvas-devel mailing list
Openvas-devel@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-devel

Reply via email to