LBRYFoundation/pool
1
0
Fork 0
mirror of https://github.com/LBRYFoundation/pool.git synced 2025-08-23 17:37:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

stratum: remove useless mysql escape + fix for stats

Browse source 
the custom check is already more secure than "unknown" mysql code
This commit is contained in:
Tanguy Pruvot 2018-03-13 19:08:11 +01:00
parent 3624f2c44d
commit 8c27bed438
1 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
stratum/db.cpp
View file

@ -43,20 +43,15 @@ void db_close(YAAMP_DB *db)
char *db_clean_string(YAAMP_DB *db, char *string) char *db_clean_string(YAAMP_DB *db, char *string)
{ {
char escaped[512] = { 0 };
char *c = string; char *c = string;
size_t i, len = strlen(string) & 0x1FF;
size_t i, len = strlen(string); for (i = 0; i < len; i++) {
for (i = 0; i < len && i < sizeof(escaped); i++) {
bool isdigit = (c[i] >= '0' && c[i] <= '9'); bool isdigit = (c[i] >= '0' && c[i] <= '9');
bool isalpha = (c[i] >= 'a' && c[i] <= 'z') || (c[i] >= 'A' && c[i] <= 'Z'); bool isalpha = (c[i] >= 'a' && c[i] <= 'z') || (c[i] >= 'A' && c[i] <= 'Z');
bool issepch = (c[i] == '=' || c[i] == ',' || c[i] == ';' || c[i] == '.'); bool issepch = (c[i] == '=' || c[i] == ',' || c[i] == ';' || c[i] == '.');
bool isextra = (c[i] == '/' || c[i] == '-' || c[i] == '_'); bool isextra = (c[i] == '/' || c[i] == '-' || c[i] == '_');
if (!isdigit && !isalpha && !issepch && !isextra) { c[i] = '\0'; break; } if (!isdigit && !isalpha && !issepch && !isextra) { c[i] = '\0'; break; }
} }
mysql_real_escape_string(&db->mysql, escaped, string, strlen(string));
strcpy(string, escaped);
return string; return string;
} }
@ -537,9 +532,14 @@ static void _json_str_safe(YAAMP_DB *db, json_value *json, const char *key, size
json_value *val = json_get_val(json, key); json_value *val = json_get_val(json, key);
out[0] = '\0'; out[0] = '\0';
if (db && val && json_is_string(val)) { if (db && val && json_is_string(val)) {
strncpy(out, json_string_value(val), maxlen); char str[128] = { 0 };
char escaped[256] = { 0 };
snprintf(str, sizeof(str)-1, "%s", json_string_value(val));
str[maxlen-1] = '\0'; // truncate to dest len
//db_clean_string(db, str);
mysql_real_escape_string(&db->mysql, escaped, str, strlen(str));
snprintf(out, maxlen, "%s", escaped);
out[maxlen-1] = '\0'; out[maxlen-1] = '\0';
db_clean_string(db, out);
} }
} }
#define json_str_safe(stats, k, out) _json_str_safe(db, stats, k, sizeof(out), out) #define json_str_safe(stats, k, out) _json_str_safe(db, stats, k, sizeof(out), out)