From 57c3794986e8cd011788c1ea3bded6bf3bcfa431 Mon Sep 17 00:00:00 2001 From: Eric Bollengier Date: Sat, 5 Feb 2011 11:30:39 +0100 Subject: [PATCH] Use db_escape_string() in all db_xxx functions --- bacula/src/cats/sql_create.c | 78 ++++++++++++++++++++++++++---------- bacula/src/cats/sql_delete.c | 4 +- bacula/src/cats/sql_find.c | 39 ++++++++++++------ bacula/src/cats/sql_get.c | 32 ++++++++++----- bacula/src/cats/sql_list.c | 23 +++++++---- bacula/src/cats/sql_update.c | 54 ++++++++++++++++--------- 6 files changed, 160 insertions(+), 70 deletions(-) diff --git a/bacula/src/cats/sql_create.c b/bacula/src/cats/sql_create.c index 5048923b22..53b4a690bc 100644 --- a/bacula/src/cats/sql_create.c +++ b/bacula/src/cats/sql_create.c @@ -68,6 +68,8 @@ db_create_job_record(JCR *jcr, B_DB *mdb, JOB_DBR *jr) int len; utime_t JobTDate; char ed1[30],ed2[30]; + char esc_job[MAX_ESCAPE_NAME_LENGTH]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); @@ -80,14 +82,17 @@ db_create_job_record(JCR *jcr, B_DB *mdb, JOB_DBR *jr) len = strlen(jcr->comment); /* TODO: use jr instead of jcr to get comment */ buf.check_size(len*2+1); - db_escape_string(jcr, mdb, buf.c_str(), jcr->comment, len); + mdb->db_escape_string(jcr, buf.c_str(), jcr->comment, len); + + mdb->db_escape_string(jcr, esc_job, jr->Job, strlen(jr->Job)); + mdb->db_escape_string(jcr, esc_name, jr->Name, strlen(jr->Name)); /* Must create it */ Mmsg(mdb->cmd, "INSERT INTO Job (Job,Name,Type,Level,JobStatus,SchedTime,JobTDate," "ClientId,Comment) " "VALUES ('%s','%s','%c','%c','%c','%s',%s,%s,'%s')", - jr->Job, jr->Name, (char)(jr->JobType), (char)(jr->JobLevel), + esc_job, esc_name, (char)(jr->JobType), (char)(jr->JobLevel), (char)(jr->JobStatus), dt, edit_uint64(JobTDate, ed1), edit_int64(jr->ClientId, ed2), buf.c_str()); @@ -165,11 +170,17 @@ db_create_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pr) { bool stat; char ed1[30], ed2[30], ed3[50], ed4[50], ed5[50]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; + char esc_lf[MAX_ESCAPE_NAME_LENGTH]; + int num_rows; + Dmsg0(200, "In create pool\n"); db_lock(mdb); - Mmsg(mdb->cmd, "SELECT PoolId,Name FROM Pool WHERE Name='%s'", pr->Name); + mdb->db_escape_string(jcr, esc_name, pr->Name, strlen(pr->Name)); + mdb->db_escape_string(jcr, esc_lf, pr->LabelFormat, strlen(pr->LabelFormat)); + Mmsg(mdb->cmd, "SELECT PoolId,Name FROM Pool WHERE Name='%s'", esc_name); Dmsg1(200, "selectpool: %s\n", mdb->cmd); if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -190,7 +201,7 @@ db_create_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pr) "MaxVolJobs,MaxVolFiles,MaxVolBytes,PoolType,LabelType,LabelFormat," "RecyclePoolId,ScratchPoolId,ActionOnPurge) " "VALUES ('%s',%u,%u,%d,%d,%d,%d,%d,%s,%s,%u,%u,%s,'%s',%d,'%s',%s,%s,%d)", - pr->Name, + esc_name, pr->NumVols, pr->MaxVols, pr->UseOnce, pr->UseCatalog, pr->AcceptAnyVolume, @@ -199,7 +210,7 @@ db_create_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pr) edit_uint64(pr->VolUseDuration, ed2), pr->MaxVolJobs, pr->MaxVolFiles, edit_uint64(pr->MaxVolBytes, ed3), - pr->PoolType, pr->LabelType, pr->LabelFormat, + pr->PoolType, pr->LabelType, esc_lf, edit_int64(pr->RecyclePoolId,ed4), edit_int64(pr->ScratchPoolId,ed5), pr->ActionOnPurge @@ -228,11 +239,13 @@ db_create_device_record(JCR *jcr, B_DB *mdb, DEVICE_DBR *dr) { bool ok; char ed1[30], ed2[30]; + char esc[MAX_ESCAPE_NAME_LENGTH]; int num_rows; Dmsg0(200, "In create Device\n"); db_lock(mdb); - Mmsg(mdb->cmd, "SELECT DeviceId,Name FROM Device WHERE Name='%s'", dr->Name); + mdb->db_escape_string(jcr, esc, dr->Name, strlen(dr->Name)); + Mmsg(mdb->cmd, "SELECT DeviceId,Name FROM Device WHERE Name='%s'", esc); Dmsg1(200, "selectdevice: %s\n", mdb->cmd); if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -249,7 +262,7 @@ db_create_device_record(JCR *jcr, B_DB *mdb, DEVICE_DBR *dr) /* Must create it */ Mmsg(mdb->cmd, "INSERT INTO Device (Name,MediaTypeId,StorageId) VALUES ('%s',%s,%s)", - dr->Name, + esc, edit_uint64(dr->MediaTypeId, ed1), edit_int64(dr->StorageId, ed2)); Dmsg1(200, "Create Device: %s\n", mdb->cmd); @@ -277,9 +290,11 @@ bool db_create_storage_record(JCR *jcr, B_DB *mdb, STORAGE_DBR *sr) SQL_ROW row; bool ok; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); - Mmsg(mdb->cmd, "SELECT StorageId,AutoChanger FROM Storage WHERE Name='%s'", sr->Name); + mdb->db_escape_string(jcr, esc, sr->Name, strlen(sr->Name)); + Mmsg(mdb->cmd, "SELECT StorageId,AutoChanger FROM Storage WHERE Name='%s'",esc); sr->StorageId = 0; sr->created = false; @@ -310,7 +325,7 @@ bool db_create_storage_record(JCR *jcr, B_DB *mdb, STORAGE_DBR *sr) /* Must create it */ Mmsg(mdb->cmd, "INSERT INTO Storage (Name,AutoChanger)" - " VALUES ('%s',%d)", sr->Name, sr->AutoChanger); + " VALUES ('%s',%d)", esc, sr->AutoChanger); sr->StorageId = sql_insert_autokey_record(mdb, mdb->cmd, NT_("Storage")); if (sr->StorageId == 0) { @@ -337,10 +352,12 @@ db_create_mediatype_record(JCR *jcr, B_DB *mdb, MEDIATYPE_DBR *mr) { bool stat; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; Dmsg0(200, "In create mediatype\n"); db_lock(mdb); - Mmsg(mdb->cmd, "SELECT MediaTypeId,MediaType FROM MediaType WHERE MediaType='%s'", mr->MediaType); + mdb->db_escape_string(jcr, esc, mr->MediaType, strlen(mr->MediaType)); + Mmsg(mdb->cmd, "SELECT MediaTypeId,MediaType FROM MediaType WHERE MediaType='%s'", esc); Dmsg1(200, "selectmediatype: %s\n", mdb->cmd); if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -388,10 +405,17 @@ db_create_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) char ed9[50], ed10[50], ed11[50], ed12[50]; struct tm tm; int num_rows; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; + char esc_mtype[MAX_ESCAPE_NAME_LENGTH]; + char esc_status[MAX_ESCAPE_NAME_LENGTH]; + db_lock(mdb); - Mmsg(mdb->cmd, "SELECT MediaId FROM Media WHERE VolumeName='%s'", - mr->VolumeName); + mdb->db_escape_string(jcr, esc_name, mr->VolumeName, strlen(mr->VolumeName)); + mdb->db_escape_string(jcr, esc_mtype, mr->MediaType, strlen(mr->MediaType)); + mdb->db_escape_string(jcr, esc_status, mr->VolStatus, strlen(mr->VolStatus)); + + Mmsg(mdb->cmd, "SELECT MediaId FROM Media WHERE VolumeName='%s'", esc_name); Dmsg1(500, "selectpool: %s\n", mdb->cmd); if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -414,8 +438,8 @@ db_create_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) "ScratchPoolId,RecyclePoolId,Enabled,ActionOnPurge)" "VALUES ('%s','%s',0,%u,%s,%s,%d,%s,%s,%u,%u,'%s',%d,%s,%d,%s,%s,%d,0,0,%d,%s," "%s,%s,%s,%s,%d,%d)", - mr->VolumeName, - mr->MediaType, mr->PoolId, + esc_name, + esc_mtype, mr->PoolId, edit_uint64(mr->MaxVolBytes,ed1), edit_uint64(mr->VolCapacityBytes, ed2), mr->Recycle, @@ -423,7 +447,7 @@ db_create_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) edit_uint64(mr->VolUseDuration, ed4), mr->MaxVolJobs, mr->MaxVolFiles, - mr->VolStatus, + esc_status, mr->Slot, edit_uint64(mr->VolBytes, ed5), mr->InChanger, @@ -481,9 +505,13 @@ int db_create_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cr) int stat; char ed1[50], ed2[50]; int num_rows; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; + char esc_uname[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); - Mmsg(mdb->cmd, "SELECT ClientId,Uname FROM Client WHERE Name='%s'", cr->Name); + mdb->db_escape_string(jcr, esc_name, cr->Name, strlen(cr->Name)); + mdb->db_escape_string(jcr, esc_uname, cr->Uname, strlen(cr->Uname)); + Mmsg(mdb->cmd, "SELECT ClientId,Uname FROM Client WHERE Name='%s'",esc_name); cr->ClientId = 0; if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -517,7 +545,7 @@ int db_create_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cr) /* Must create it */ Mmsg(mdb->cmd, "INSERT INTO Client (Name,Uname,AutoPrune," "FileRetention,JobRetention) VALUES " -"('%s','%s',%d,%s,%s)", cr->Name, cr->Uname, cr->AutoPrune, +"('%s','%s',%d,%s,%s)", esc_name, esc_uname, cr->AutoPrune, edit_uint64(cr->FileRetention, ed1), edit_uint64(cr->JobRetention, ed2)); @@ -614,6 +642,7 @@ int db_create_path_record(JCR *jcr, B_DB *mdb, ATTR_DBR *ar) */ int db_create_counter_record(JCR *jcr, B_DB *mdb, COUNTER_DBR *cr) { + char esc[MAX_ESCAPE_NAME_LENGTH]; COUNTER_DBR mcr; int stat; @@ -625,12 +654,12 @@ int db_create_counter_record(JCR *jcr, B_DB *mdb, COUNTER_DBR *cr) db_unlock(mdb); return 1; } - + mdb->db_escape_string(jcr, esc, cr->Counter, strlen(cr->Counter)); /* Must create it */ Mmsg(mdb->cmd, "INSERT INTO Counters (Counter,\"MinValue\",\"MaxValue\",CurrentValue," "WrapCounter) VALUES ('%s','%d','%d','%d','%s')", - cr->Counter, cr->MinValue, cr->MaxValue, cr->CurrentValue, - cr->WrapCounter); + esc, cr->MinValue, cr->MaxValue, cr->CurrentValue, + cr->WrapCounter); if (!INSERT_DB(jcr, mdb, mdb->cmd)) { Mmsg2(&mdb->errmsg, _("Create DB Counters record %s failed. ERR=%s\n"), @@ -657,11 +686,16 @@ bool db_create_fileset_record(JCR *jcr, B_DB *mdb, FILESET_DBR *fsr) bool stat; struct tm tm; int num_rows; + char esc_fs[MAX_ESCAPE_NAME_LENGTH]; + char esc_md5[MAX_ESCAPE_NAME_LENGTH]; + /* TODO: Escape FileSet and MD5 */ db_lock(mdb); fsr->created = false; + mdb->db_escape_string(jcr, esc_fs, fsr->FileSet, strlen(fsr->FileSet)); + mdb->db_escape_string(jcr, esc_md5, fsr->MD5, strlen(fsr->MD5)); Mmsg(mdb->cmd, "SELECT FileSetId,CreateTime FROM FileSet WHERE " -"FileSet='%s' AND MD5='%s'", fsr->FileSet, fsr->MD5); + "FileSet='%s' AND MD5='%s'", esc_fs, esc_md5); fsr->FileSetId = 0; if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -699,7 +733,7 @@ bool db_create_fileset_record(JCR *jcr, B_DB *mdb, FILESET_DBR *fsr) /* Must create it */ Mmsg(mdb->cmd, "INSERT INTO FileSet (FileSet,MD5,CreateTime) " -"VALUES ('%s','%s','%s')", fsr->FileSet, fsr->MD5, fsr->cCreateTime); +"VALUES ('%s','%s','%s')", esc_fs, esc_md5, fsr->cCreateTime); fsr->FileSetId = sql_insert_autokey_record(mdb, mdb->cmd, NT_("FileSet")); if (fsr->FileSetId == 0) { diff --git a/bacula/src/cats/sql_delete.c b/bacula/src/cats/sql_delete.c index 3683f667cf..05376087a6 100644 --- a/bacula/src/cats/sql_delete.c +++ b/bacula/src/cats/sql_delete.c @@ -65,9 +65,11 @@ db_delete_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pr) { SQL_ROW row; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); - Mmsg(mdb->cmd, "SELECT PoolId FROM Pool WHERE Name='%s'", pr->Name); + mdb->db_escape_string(jcr, esc, pr->Name, strlen(pr->Name)); + Mmsg(mdb->cmd, "SELECT PoolId FROM Pool WHERE Name='%s'", esc); Dmsg1(10, "selectpool: %s\n", mdb->cmd); pr->PoolId = pr->NumVols = 0; diff --git a/bacula/src/cats/sql_find.c b/bacula/src/cats/sql_find.c index 0a1233d65f..1f2f22f9c5 100644 --- a/bacula/src/cats/sql_find.c +++ b/bacula/src/cats/sql_find.c @@ -65,9 +65,10 @@ db_find_job_start_time(JCR *jcr, B_DB *mdb, JOB_DBR *jr, POOLMEM **stime) { SQL_ROW row; char ed1[50], ed2[50]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); - + mdb->db_escape_string(jcr, esc_name, jr->Name, strlen(jr->Name)); pm_strcpy(stime, "0000-00-00 00:00:00"); /* default */ /* If no Id given, we must find corresponding job */ if (jr->JobId == 0) { @@ -76,7 +77,7 @@ db_find_job_start_time(JCR *jcr, B_DB *mdb, JOB_DBR *jr, POOLMEM **stime) "SELECT StartTime FROM Job WHERE JobStatus IN ('T','W') AND Type='%c' AND " "Level='%c' AND Name='%s' AND ClientId=%s AND FileSetId=%s " "ORDER BY StartTime DESC LIMIT 1", - jr->JobType, L_FULL, jr->Name, + jr->JobType, L_FULL, esc_name, edit_int64(jr->ClientId, ed1), edit_int64(jr->FileSetId, ed2)); if (jr->JobLevel == L_DIFFERENTIAL) { @@ -106,7 +107,7 @@ db_find_job_start_time(JCR *jcr, B_DB *mdb, JOB_DBR *jr, POOLMEM **stime) "SELECT StartTime FROM Job WHERE JobStatus IN ('T','W') AND Type='%c' AND " "Level IN ('%c','%c','%c') AND Name='%s' AND ClientId=%s " "AND FileSetId=%s ORDER BY StartTime DESC LIMIT 1", - jr->JobType, L_INCREMENTAL, L_DIFFERENTIAL, L_FULL, jr->Name, + jr->JobType, L_INCREMENTAL, L_DIFFERENTIAL, L_FULL, esc_name, edit_int64(jr->ClientId, ed1), edit_int64(jr->FileSetId, ed2)); } else { Mmsg1(mdb->errmsg, _("Unknown level=%d\n"), jr->JobLevel); @@ -158,16 +159,17 @@ db_find_last_job_start_time(JCR *jcr, B_DB *mdb, JOB_DBR *jr, POOLMEM **stime, i { SQL_ROW row; char ed1[50], ed2[50]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); - + mdb->db_escape_string(jcr, esc_name, jr->Name, strlen(jr->Name)); pm_strcpy(stime, "0000-00-00 00:00:00"); /* default */ Mmsg(mdb->cmd, "SELECT StartTime FROM Job WHERE JobStatus IN ('T','W') AND Type='%c' AND " "Level='%c' AND Name='%s' AND ClientId=%s AND FileSetId=%s " "ORDER BY StartTime DESC LIMIT 1", - jr->JobType, JobLevel, jr->Name, + jr->JobType, JobLevel, esc_name, edit_int64(jr->ClientId, ed1), edit_int64(jr->FileSetId, ed2)); if (!QUERY_DB(jcr, mdb, mdb->cmd)) { Mmsg2(&mdb->errmsg, _("Query error for start time request: ERR=%s\nCMD=%s\n"), @@ -203,15 +205,18 @@ db_find_failed_job_since(JCR *jcr, B_DB *mdb, JOB_DBR *jr, POOLMEM *stime, int & { SQL_ROW row; char ed1[50], ed2[50]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); + mdb->db_escape_string(jcr, esc_name, jr->Name, strlen(jr->Name)); + /* Differential is since last Full backup */ Mmsg(mdb->cmd, "SELECT Level FROM Job WHERE JobStatus NOT IN ('T','W') AND " "Type='%c' AND Level IN ('%c','%c') AND Name='%s' AND ClientId=%s " "AND FileSetId=%s AND StartTime>'%s' " "ORDER BY StartTime DESC LIMIT 1", - jr->JobType, L_FULL, L_DIFFERENTIAL, jr->Name, + jr->JobType, L_FULL, L_DIFFERENTIAL, esc_name, edit_int64(jr->ClientId, ed1), edit_int64(jr->FileSetId, ed2), stime); if (!QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -245,24 +250,28 @@ db_find_last_jobid(JCR *jcr, B_DB *mdb, const char *Name, JOB_DBR *jr) { SQL_ROW row; char ed1[50]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; - /* Find last full */ db_lock(mdb); + /* Find last full */ Dmsg2(100, "JobLevel=%d JobType=%d\n", jr->JobLevel, jr->JobType); if (jr->JobLevel == L_VERIFY_CATALOG) { + mdb->db_escape_string(jcr, esc_name, jr->Name, strlen(jr->Name)); Mmsg(mdb->cmd, "SELECT JobId FROM Job WHERE Type='V' AND Level='%c' AND " " JobStatus IN ('T','W') AND Name='%s' AND " "ClientId=%s ORDER BY StartTime DESC LIMIT 1", - L_VERIFY_INIT, jr->Name, + L_VERIFY_INIT, esc_name, edit_int64(jr->ClientId, ed1)); } else if (jr->JobLevel == L_VERIFY_VOLUME_TO_CATALOG || jr->JobLevel == L_VERIFY_DISK_TO_CATALOG || jr->JobType == JT_BACKUP) { if (Name) { + mdb->db_escape_string(jcr, esc_name, (char*)Name, + MIN(strlen(Name), sizeof(esc_name))); Mmsg(mdb->cmd, "SELECT JobId FROM Job WHERE Type='B' AND JobStatus IN ('T','W') AND " -"Name='%s' ORDER BY StartTime DESC LIMIT 1", Name); +"Name='%s' ORDER BY StartTime DESC LIMIT 1", esc_name); } else { Mmsg(mdb->cmd, "SELECT JobId FROM Job WHERE Type='B' AND JobStatus IN ('T','W') AND " @@ -314,10 +323,14 @@ db_find_next_volume(JCR *jcr, B_DB *mdb, int item, bool InChanger, MEDIA_DBR *mr SQL_ROW row = NULL; int numrows; const char *order; - + char esc_type[MAX_ESCAPE_NAME_LENGTH]; + char esc_status[MAX_ESCAPE_NAME_LENGTH]; char ed1[50]; db_lock(mdb); + mdb->db_escape_string(jcr, esc_type, mr->MediaType, strlen(mr->MediaType)); + mdb->db_escape_string(jcr, esc_status, mr->VolStatus, strlen(mr->VolStatus)); + if (item == -1) { /* find oldest volume */ /* Find oldest volume */ Mmsg(mdb->cmd, "SELECT MediaId,VolumeName,VolJobs,VolFiles,VolBlocks," @@ -330,7 +343,7 @@ db_find_next_volume(JCR *jcr, B_DB *mdb, int item, bool InChanger, MEDIA_DBR *mr "FROM Media WHERE PoolId=%s AND MediaType='%s' AND VolStatus IN ('Full'," "'Recycle','Purged','Used','Append') AND Enabled=1 " "ORDER BY LastWritten LIMIT 1", - edit_int64(mr->PoolId, ed1), mr->MediaType); + edit_int64(mr->PoolId, ed1), esc_type); item = 1; } else { POOL_MEM changer(PM_FNAME); @@ -356,8 +369,8 @@ db_find_next_volume(JCR *jcr, B_DB *mdb, int item, bool InChanger, MEDIA_DBR *mr "AND VolStatus='%s' " "%s " "%s LIMIT %d", - edit_int64(mr->PoolId, ed1), mr->MediaType, - mr->VolStatus, changer.c_str(), order, item); + edit_int64(mr->PoolId, ed1), esc_type, + esc_status, changer.c_str(), order, item); } Dmsg1(050, "fnextvol=%s\n", mdb->cmd); if (!QUERY_DB(jcr, mdb, mdb->cmd)) { diff --git a/bacula/src/cats/sql_get.c b/bacula/src/cats/sql_get.c index 7fee824ad7..4fd49c5a91 100644 --- a/bacula/src/cats/sql_get.c +++ b/bacula/src/cats/sql_get.c @@ -291,14 +291,16 @@ bool db_get_job_record(JCR *jcr, B_DB *mdb, JOB_DBR *jr) { SQL_ROW row; char ed1[50]; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); if (jr->JobId == 0) { + mdb->db_escape_string(jcr, esc, jr->Job, strlen(jr->Job)); Mmsg(mdb->cmd, "SELECT VolSessionId,VolSessionTime," "PoolId,StartTime,EndTime,JobFiles,JobBytes,JobTDate,Job,JobStatus," "Type,Level,ClientId,Name,PriorJobId,RealEndTime,JobId,FileSetId," "SchedTime,RealEndTime,ReadBytes,HasBase,PurgedFiles " -"FROM Job WHERE Job='%s'", jr->Job); +"FROM Job WHERE Job='%s'", esc); } else { Mmsg(mdb->cmd, "SELECT VolSessionId,VolSessionTime," "PoolId,StartTime,EndTime,JobFiles,JobBytes,JobTDate,Job,JobStatus," @@ -608,6 +610,7 @@ bool db_get_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pdbr) bool ok = false; char ed1[50]; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); if (pdbr->PoolId != 0) { /* find by id */ @@ -618,12 +621,12 @@ bool db_get_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pdbr) "ActionOnPurge FROM Pool WHERE Pool.PoolId=%s", edit_int64(pdbr->PoolId, ed1)); } else { /* find by name */ + mdb->db_escape_string(jcr, esc, pdbr->Name, strlen(pdbr->Name)); Mmsg(mdb->cmd, "SELECT PoolId,Name,NumVols,MaxVols,UseOnce,UseCatalog,AcceptAnyVolume," "AutoPrune,Recycle,VolRetention,VolUseDuration,MaxVolJobs,MaxVolFiles," "MaxVolBytes,PoolType,LabelType,LabelFormat,RecyclePoolId,ScratchPoolId," -"ActionOnPurge FROM Pool WHERE Pool.Name='%s'", - pdbr->Name); +"ActionOnPurge FROM Pool WHERE Pool.Name='%s'", esc); } if (QUERY_DB(jcr, mdb, mdb->cmd)) { num_rows = sql_num_rows(mdb); @@ -693,6 +696,7 @@ int db_get_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cdbr) int stat = 0; char ed1[50]; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); if (cdbr->ClientId != 0) { /* find by id */ @@ -701,9 +705,10 @@ int db_get_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cdbr) "FROM Client WHERE Client.ClientId=%s", edit_int64(cdbr->ClientId, ed1)); } else { /* find by name */ + mdb->db_escape_string(jcr, esc, cdbr->Name, strlen(cdbr->Name)); Mmsg(mdb->cmd, "SELECT ClientId,Name,Uname,AutoPrune,FileRetention,JobRetention " -"FROM Client WHERE Client.Name='%s'", cdbr->Name); +"FROM Client WHERE Client.Name='%s'", esc); } if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -746,10 +751,13 @@ int db_get_counter_record(JCR *jcr, B_DB *mdb, COUNTER_DBR *cr) { SQL_ROW row; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); + mdb->db_escape_string(jcr, esc, cr->Counter, strlen(cr->Counter)); + Mmsg(mdb->cmd, "SELECT \"MinValue\",\"MaxValue\",CurrentValue,WrapCounter " - "FROM Counters WHERE Counter='%s'", cr->Counter); + "FROM Counters WHERE Counter='%s'", esc); if (QUERY_DB(jcr, mdb, mdb->cmd)) { num_rows = sql_num_rows(mdb); @@ -802,6 +810,7 @@ int db_get_fileset_record(JCR *jcr, B_DB *mdb, FILESET_DBR *fsr) int stat = 0; char ed1[50]; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); if (fsr->FileSetId != 0) { /* find by id */ @@ -810,9 +819,10 @@ int db_get_fileset_record(JCR *jcr, B_DB *mdb, FILESET_DBR *fsr) "WHERE FileSetId=%s", edit_int64(fsr->FileSetId, ed1)); } else { /* find by name */ + mdb->db_escape_string(jcr, esc, fsr->FileSet, strlen(fsr->FileSet)); Mmsg(mdb->cmd, "SELECT FileSetId,FileSet,MD5,CreateTime FROM FileSet " - "WHERE FileSet='%s' ORDER BY CreateTime DESC LIMIT 1", fsr->FileSet); + "WHERE FileSet='%s' ORDER BY CreateTime DESC LIMIT 1", esc); } if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -988,6 +998,7 @@ bool db_get_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) char ed1[50]; bool ok = false; int num_rows; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); if (mr->MediaId == 0 && mr->VolumeName[0] == 0) { @@ -1007,6 +1018,7 @@ bool db_get_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) "FROM Media WHERE MediaId=%s", edit_int64(mr->MediaId, ed1)); } else { /* find by name */ + mdb->db_escape_string(jcr, esc, mr->VolumeName, strlen(mr->VolumeName)); Mmsg(mdb->cmd, "SELECT MediaId,VolumeName,VolJobs,VolFiles,VolBlocks," "VolBytes,VolMounts,VolErrors,VolWrites,MaxVolBytes,VolCapacityBytes," "MediaType,VolStatus,PoolId,VolRetention,VolUseDuration,MaxVolJobs," @@ -1014,7 +1026,7 @@ bool db_get_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) "EndFile,EndBlock,VolParts,LabelType,LabelDate,StorageId," "Enabled,LocationId,RecycleCount,InitialWrite," "ScratchPoolId,RecyclePoolId,VolReadTime,VolWriteTime,ActionOnPurge " - "FROM Media WHERE VolumeName='%s'", mr->VolumeName); + "FROM Media WHERE VolumeName='%s'", esc); } if (QUERY_DB(jcr, mdb, mdb->cmd)) { @@ -1290,6 +1302,7 @@ bool db_get_base_jobid(JCR *jcr, B_DB *mdb, JOB_DBR *jr, JobId_t *jobid) utime_t StartTime; db_int64_ctx lctx; char date[MAX_TIME_LENGTH]; + char esc[MAX_ESCAPE_NAME_LENGTH]; bool ret=false; // char clientid[50], filesetid[50]; *jobid = 0; @@ -1298,7 +1311,8 @@ bool db_get_base_jobid(JCR *jcr, B_DB *mdb, JOB_DBR *jr, JobId_t *jobid) StartTime = (jr->StartTime)?jr->StartTime:time(NULL); bstrutime(date, sizeof(date), StartTime + 1); - + mdb->db_escape_string(jcr, esc, jr->Name, strlen(jr->Name)); + /* we can take also client name, fileset, etc... */ Mmsg(query, @@ -1311,7 +1325,7 @@ bool db_get_base_jobid(JCR *jcr, B_DB *mdb, JOB_DBR *jr, JobId_t *jobid) // "AND Client.Name = '%s' " "AND StartTime<'%s' " "ORDER BY Job.JobTDate DESC LIMIT 1", - jr->Name, + esc, // edit_uint64(jr->ClientId, clientid), // edit_uint64(jr->FileSetId, filesetid)); date); diff --git a/bacula/src/cats/sql_list.c b/bacula/src/cats/sql_list.c index 05fb1c5cbc..8b042f840e 100644 --- a/bacula/src/cats/sql_list.c +++ b/bacula/src/cats/sql_list.c @@ -79,16 +79,19 @@ void db_list_pool_records(JCR *jcr, B_DB *mdb, POOL_DBR *pdbr, DB_LIST_HANDLER *sendit, void *ctx, e_list_type type) { + char esc[MAX_ESCAPE_NAME_LENGTH]; LIST_CTX lctx(jcr, mdb, sendit, ctx, type); db_lock(mdb); + mdb->db_escape_string(jcr, esc, pdbr->Name, strlen(pdbr->Name)); + if (type == VERT_LIST) { if (pdbr->Name[0] != 0) { Mmsg(mdb->cmd, "SELECT PoolId,Name,NumVols,MaxVols,UseOnce,UseCatalog," "AcceptAnyVolume,VolRetention,VolUseDuration,MaxVolJobs,MaxVolBytes," "AutoPrune,Recycle,PoolType,LabelFormat,Enabled,ScratchPoolId," "RecyclePoolId,LabelType " - " FROM Pool WHERE Name='%s'", pdbr->Name); + " FROM Pool WHERE Name='%s'", esc); } else { Mmsg(mdb->cmd, "SELECT PoolId,Name,NumVols,MaxVols,UseOnce,UseCatalog," "AcceptAnyVolume,VolRetention,VolUseDuration,MaxVolJobs,MaxVolBytes," @@ -99,7 +102,7 @@ db_list_pool_records(JCR *jcr, B_DB *mdb, POOL_DBR *pdbr, } else { if (pdbr->Name[0] != 0) { Mmsg(mdb->cmd, "SELECT PoolId,Name,NumVols,MaxVols,PoolType,LabelFormat " - "FROM Pool WHERE Name='%s'", pdbr->Name); + "FROM Pool WHERE Name='%s'", esc); } else { Mmsg(mdb->cmd, "SELECT PoolId,Name,NumVols,MaxVols,PoolType,LabelFormat " "FROM Pool ORDER BY PoolId"); @@ -152,9 +155,12 @@ db_list_media_records(JCR *jcr, B_DB *mdb, MEDIA_DBR *mdbr, DB_LIST_HANDLER *sendit, void *ctx, e_list_type type) { char ed1[50]; + char esc[MAX_ESCAPE_NAME_LENGTH]; LIST_CTX lctx(jcr, mdb, sendit, ctx, type); db_lock(mdb); + mdb->db_escape_string(jcr, esc, mdbr->VolumeName, strlen(mdbr->VolumeName)); + if (type == VERT_LIST) { if (mdbr->VolumeName[0] != 0) { Mmsg(mdb->cmd, "SELECT MediaId,VolumeName,Slot,PoolId," @@ -165,7 +171,7 @@ db_list_media_records(JCR *jcr, B_DB *mdb, MEDIA_DBR *mdbr, "EndFile,EndBlock,VolParts,LabelType,StorageId,DeviceId," "LocationId,RecycleCount,InitialWrite,ScratchPoolId,RecyclePoolId, " "Comment" - " FROM Media WHERE Media.VolumeName='%s'", mdbr->VolumeName); + " FROM Media WHERE Media.VolumeName='%s'", esc); } else { Mmsg(mdb->cmd, "SELECT MediaId,VolumeName,Slot,PoolId," "MediaType,FirstWritten,LastWritten,LabelDate,VolJobs," @@ -182,7 +188,7 @@ db_list_media_records(JCR *jcr, B_DB *mdb, MEDIA_DBR *mdbr, if (mdbr->VolumeName[0] != 0) { Mmsg(mdb->cmd, "SELECT MediaId,VolumeName,VolStatus,Enabled," "VolBytes,VolFiles,VolRetention,Recycle,Slot,InChanger,MediaType,LastWritten " - "FROM Media WHERE Media.VolumeName='%s'", mdbr->VolumeName); + "FROM Media WHERE Media.VolumeName='%s'", esc); } else { Mmsg(mdb->cmd, "SELECT MediaId,VolumeName,VolStatus,Enabled," "VolBytes,VolFiles,VolRetention,Recycle,Slot,InChanger,MediaType,LastWritten " @@ -333,6 +339,7 @@ db_list_job_records(JCR *jcr, B_DB *mdb, JOB_DBR *jr, DB_LIST_HANDLER *sendit, { char ed1[50]; char limit[100]; + char esc[MAX_ESCAPE_NAME_LENGTH]; LIST_CTX lctx(jcr, mdb, sendit, ctx, type); db_lock(mdb); @@ -368,13 +375,15 @@ db_list_job_records(JCR *jcr, B_DB *mdb, JOB_DBR *jr, DB_LIST_HANDLER *sendit, } } else { if (jr->Name[0] != 0) { + mdb->db_escape_string(jcr, esc, jr->Name, strlen(jr->Name)); Mmsg(mdb->cmd, - "SELECT JobId,Name,StartTime,Type,Level,JobFiles,JobBytes,JobStatus " - "FROM Job WHERE Name='%s' ORDER BY StartTime,JobId ASC", jr->Name); + "SELECT JobId,Name,StartTime,Type,Level,JobFiles,JobBytes,JobStatus " + "FROM Job WHERE Name='%s' ORDER BY StartTime,JobId ASC", esc); } else if (jr->Job[0] != 0) { + mdb->db_escape_string(jcr, esc, jr->Job, strlen(jr->Job)); Mmsg(mdb->cmd, "SELECT JobId,Name,StartTime,Type,Level,JobFiles,JobBytes,JobStatus " - "FROM Job WHERE Job='%s' ORDER BY StartTime,JobId ASC", jr->Job); + "FROM Job WHERE Job='%s' ORDER BY StartTime,JobId ASC", esc); } else if (jr->JobId != 0) { Mmsg(mdb->cmd, "SELECT JobId,Name,StartTime,Type,Level,JobFiles,JobBytes,JobStatus " diff --git a/bacula/src/cats/sql_update.c b/bacula/src/cats/sql_update.c index 6696b8f309..22ff00a72a 100644 --- a/bacula/src/cats/sql_update.c +++ b/bacula/src/cats/sql_update.c @@ -59,15 +59,18 @@ int db_add_digest_to_file_record(JCR *jcr, B_DB *mdb, FileId_t FileId, char *digest, int type) { - int stat; + int ret; char ed1[50]; + int len = strlen(digest); db_lock(mdb); - Mmsg(mdb->cmd, "UPDATE File SET MD5='%s' WHERE FileId=%s", digest, - edit_int64(FileId, ed1)); - stat = UPDATE_DB(jcr, mdb, mdb->cmd); + mdb->esc_name = check_pool_memory_size(mdb->esc_name, len*2+1); + mdb->db_escape_string(jcr, mdb->esc_name, digest, len); + Mmsg(mdb->cmd, "UPDATE File SET MD5='%s' WHERE FileId=%s", mdb->esc_name, + edit_int64(FileId, ed1)); + ret = UPDATE_DB(jcr, mdb, mdb->cmd); db_unlock(mdb); - return stat; + return ret; } /* Mark the file record as being visited during database @@ -206,6 +209,8 @@ db_update_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cr) { int stat; char ed1[50], ed2[50]; + char esc_name[MAX_ESCAPE_NAME_LENGTH]; + char esc_uname[MAX_ESCAPE_NAME_LENGTH]; CLIENT_DBR tcr; db_lock(mdb); @@ -215,13 +220,15 @@ db_update_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cr) return 0; } + mdb->db_escape_string(jcr, esc_name, cr->Name, strlen(cr->Name)); + mdb->db_escape_string(jcr, esc_uname, cr->Uname, strlen(cr->Uname)); Mmsg(mdb->cmd, "UPDATE Client SET AutoPrune=%d,FileRetention=%s,JobRetention=%s," "Uname='%s' WHERE Name='%s'", cr->AutoPrune, edit_uint64(cr->FileRetention, ed1), edit_uint64(cr->JobRetention, ed2), - cr->Uname, cr->Name); + esc_uname, esc_name); stat = UPDATE_DB(jcr, mdb, mdb->cmd); db_unlock(mdb); @@ -236,13 +243,14 @@ db_update_client_record(JCR *jcr, B_DB *mdb, CLIENT_DBR *cr) */ int db_update_counter_record(JCR *jcr, B_DB *mdb, COUNTER_DBR *cr) { + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); - + mdb->db_escape_string(jcr, esc, cr->Counter, strlen(cr->Counter)); Mmsg(mdb->cmd, "UPDATE Counters SET \"MinValue\"=%d,\"MaxValue\"=%d,CurrentValue=%d," "WrapCounter='%s' WHERE Counter='%s'", cr->MinValue, cr->MaxValue, cr->CurrentValue, - cr->WrapCounter, cr->Counter); + cr->WrapCounter, esc); int stat = UPDATE_DB(jcr, mdb, mdb->cmd); db_unlock(mdb); @@ -254,8 +262,11 @@ int db_update_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pr) { int stat; char ed1[50], ed2[50], ed3[50], ed4[50], ed5[50], ed6[50]; + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); + mdb->db_escape_string(jcr, esc, pr->LabelFormat, strlen(pr->LabelFormat)); + Mmsg(mdb->cmd, "SELECT count(*) from Media WHERE PoolId=%s", edit_int64(pr->PoolId, ed4)); pr->NumVols = get_sql_record_max(jcr, mdb); @@ -273,7 +284,7 @@ int db_update_pool_record(JCR *jcr, B_DB *mdb, POOL_DBR *pr) pr->MaxVolJobs, pr->MaxVolFiles, edit_uint64(pr->MaxVolBytes, ed3), pr->Recycle, pr->AutoPrune, pr->LabelType, - pr->LabelFormat, edit_int64(pr->RecyclePoolId,ed5), + esc, edit_int64(pr->RecyclePoolId,ed5), edit_int64(pr->ScratchPoolId,ed6), pr->ActionOnPurge, ed4); @@ -313,17 +324,21 @@ db_update_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) char ed1[50], ed2[50], ed3[50], ed4[50]; char ed5[50], ed6[50], ed7[50], ed8[50]; char ed9[50], ed10[50], ed11[50]; - + char esc_name[MAX_ESCAPE_NAME_LENGTH]; + char esc_status[MAX_ESCAPE_NAME_LENGTH]; Dmsg1(100, "update_media: FirstWritten=%d\n", mr->FirstWritten); db_lock(mdb); + mdb->db_escape_string(jcr, esc_name, mr->VolumeName, strlen(mr->VolumeName)); + mdb->db_escape_string(jcr, esc_status, mr->VolStatus, strlen(mr->VolStatus)); + if (mr->set_first_written) { Dmsg1(400, "Set FirstWritten Vol=%s\n", mr->VolumeName); ttime = mr->FirstWritten; (void)localtime_r(&ttime, &tm); strftime(dt, sizeof(dt), "%Y-%m-%d %H:%M:%S", &tm); Mmsg(mdb->cmd, "UPDATE Media SET FirstWritten='%s'" - " WHERE VolumeName='%s'", dt, mr->VolumeName); + " WHERE VolumeName='%s'", dt, esc_name); stat = UPDATE_DB(jcr, mdb, mdb->cmd); Dmsg1(400, "Firstwritten=%d\n", mr->FirstWritten); } @@ -337,7 +352,7 @@ db_update_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) (void)localtime_r(&ttime, &tm); strftime(dt, sizeof(dt), "%Y-%m-%d %H:%M:%S", &tm); Mmsg(mdb->cmd, "UPDATE Media SET LabelDate='%s' " - "WHERE VolumeName='%s'", dt, mr->VolumeName); + "WHERE VolumeName='%s'", dt, esc_name); UPDATE_DB(jcr, mdb, mdb->cmd); } @@ -346,7 +361,7 @@ db_update_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) (void)localtime_r(&ttime, &tm); strftime(dt, sizeof(dt), "%Y-%m-%d %H:%M:%S", &tm); Mmsg(mdb->cmd, "UPDATE Media Set LastWritten='%s' " - "WHERE VolumeName='%s'", dt, mr->VolumeName); + "WHERE VolumeName='%s'", dt, esc_name); UPDATE_DB(jcr, mdb, mdb->cmd); } @@ -369,7 +384,7 @@ db_update_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) mr->VolJobs, mr->VolFiles, mr->VolBlocks, edit_uint64(mr->VolBytes, ed1), mr->VolMounts, mr->VolErrors, mr->VolWrites, edit_uint64(mr->MaxVolBytes, ed2), - mr->VolStatus, mr->Slot, mr->InChanger, + esc_status, mr->Slot, mr->InChanger, edit_int64(mr->VolReadTime, ed3), edit_int64(mr->VolWriteTime, ed4), mr->VolParts, @@ -383,7 +398,7 @@ db_update_media_record(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) edit_uint64(mr->ScratchPoolId, ed10), edit_uint64(mr->RecyclePoolId, ed11), mr->RecycleCount,mr->Recycle, mr->ActionOnPurge, - mr->VolumeName); + esc_name); Dmsg1(400, "%s\n", mdb->cmd); @@ -407,10 +422,11 @@ db_update_media_defaults(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) { int stat; char ed1[50], ed2[50], ed3[50], ed4[50], ed5[50]; - + char esc[MAX_ESCAPE_NAME_LENGTH]; db_lock(mdb); if (mr->VolumeName[0]) { + mdb->db_escape_string(jcr, esc, mr->VolumeName, strlen(mr->VolumeName)); Mmsg(mdb->cmd, "UPDATE Media SET " "ActionOnPurge=%d, Recycle=%d,VolRetention=%s,VolUseDuration=%s," "MaxVolJobs=%u,MaxVolFiles=%u,MaxVolBytes=%s,RecyclePoolId=%s" @@ -420,7 +436,7 @@ db_update_media_defaults(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) mr->MaxVolJobs, mr->MaxVolFiles, edit_uint64(mr->MaxVolBytes, ed3), edit_uint64(mr->RecyclePoolId, ed4), - mr->VolumeName); + esc); } else { Mmsg(mdb->cmd, "UPDATE Media SET " "ActionOnPurge=%d, Recycle=%d,VolRetention=%s,VolUseDuration=%s," @@ -453,6 +469,7 @@ void db_make_inchanger_unique(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) { char ed1[50], ed2[50]; + char esc[MAX_ESCAPE_NAME_LENGTH]; if (mr->InChanger != 0 && mr->Slot != 0 && mr->StorageId != 0) { if (mr->MediaId != 0) { @@ -462,10 +479,11 @@ db_make_inchanger_unique(JCR *jcr, B_DB *mdb, MEDIA_DBR *mr) edit_int64(mr->StorageId, ed1), edit_int64(mr->MediaId, ed2)); } else if (*mr->VolumeName) { + mdb->db_escape_string(jcr, esc,mr->VolumeName,strlen(mr->VolumeName)); Mmsg(mdb->cmd, "UPDATE Media SET InChanger=0, Slot=0 WHERE " "Slot=%d AND StorageId=%s AND VolumeName!='%s'", mr->Slot, - edit_int64(mr->StorageId, ed1), mr->VolumeName); + edit_int64(mr->StorageId, ed1), esc); } else { /* used by ua_label to reset all volume with this slot */ Mmsg(mdb->cmd, "UPDATE Media SET InChanger=0, Slot=0 WHERE " -- 2.39.5