From 8c27bed4383dd5c0c7b96ea678d420cb68248ad2 Mon Sep 17 00:00:00 2001 From: Tanguy Pruvot Date: Tue, 13 Mar 2018 19:08:11 +0100 Subject: [PATCH] stratum: remove useless mysql escape + fix for stats the custom check is already more secure than "unknown" mysql code --- stratum/db.cpp | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/stratum/db.cpp b/stratum/db.cpp index 2e90eac..3b34415 100644 --- a/stratum/db.cpp +++ b/stratum/db.cpp @@ -43,20 +43,15 @@ void db_close(YAAMP_DB *db) char *db_clean_string(YAAMP_DB *db, char *string) { - char escaped[512] = { 0 }; char *c = string; - - size_t i, len = strlen(string); - for (i = 0; i < len && i < sizeof(escaped); i++) { + size_t i, len = strlen(string) & 0x1FF; + for (i = 0; i < len; i++) { bool isdigit = (c[i] >= '0' && c[i] <= '9'); bool isalpha = (c[i] >= 'a' && c[i] <= 'z') || (c[i] >= 'A' && c[i] <= 'Z'); bool issepch = (c[i] == '=' || c[i] == ',' || c[i] == ';' || c[i] == '.'); bool isextra = (c[i] == '/' || c[i] == '-' || c[i] == '_'); if (!isdigit && !isalpha && !issepch && !isextra) { c[i] = '\0'; break; } } - mysql_real_escape_string(&db->mysql, escaped, string, strlen(string)); - strcpy(string, escaped); - return string; } @@ -537,9 +532,14 @@ static void _json_str_safe(YAAMP_DB *db, json_value *json, const char *key, size json_value *val = json_get_val(json, key); out[0] = '\0'; if (db && val && json_is_string(val)) { - strncpy(out, json_string_value(val), maxlen); + char str[128] = { 0 }; + char escaped[256] = { 0 }; + snprintf(str, sizeof(str)-1, "%s", json_string_value(val)); + str[maxlen-1] = '\0'; // truncate to dest len + //db_clean_string(db, str); + mysql_real_escape_string(&db->mysql, escaped, str, strlen(str)); + snprintf(out, maxlen, "%s", escaped); out[maxlen-1] = '\0'; - db_clean_string(db, out); } } #define json_str_safe(stats, k, out) _json_str_safe(db, stats, k, sizeof(out), out)