--- DatabaseLayer.cpp 2006/09/04 10:17:10 38 +++ DatabaseLayer.cpp 2006/09/04 12:39:10 39 @@ -54,11 +54,13 @@ CString SQL; Person p; - //FIX SQL INJECTION + + wantInits.Replace("'","\""); + SQL = "SELECT PersonID, Initialer, Navn, Admin, Pass FROM Person WHERE (Initialer = '" + wantInits + "')"; CRecordset rs(&db); rs.Open(AFX_DB_USE_DEFAULT_TYPE, SQL); - + if(!rs.IsEOF() ) { rs.GetFieldValue((short)0,id); @@ -73,12 +75,16 @@ p.isadmin = (isadmin == "1"); p.pass = pass; } + return p; } bool DatabaseLayer::AddPerson(Person NewPerson) { CString SQL; + NewPerson.inits.Replace("'","\""); + NewPerson.name.Replace("'","\""); + NewPerson.pass.Replace("'","\""); SQL.Format("INSERT into Person(Initialer, Navn, Admin, Pass) VALUES('%s', '%s', '%d', '%s')",NewPerson.inits, NewPerson.name, NewPerson.isadmin, NewPerson.pass); db.ExecuteSQL(SQL); return true; @@ -87,6 +93,10 @@ bool DatabaseLayer::UpdatePerson(Person ChangePerson) { CString SQL; + ChangePerson.inits.Replace("'","\""); + ChangePerson.name.Replace("'","\""); + ChangePerson.pass.Replace("'","\""); + ChangePerson.id.Replace("'","\""); SQL.Format("UPDATE Person SET Initialer = '%s', Navn = '%s', Pass = '%s', Admin = '%d' WHERE PersonID = '%s'", ChangePerson.inits, ChangePerson.name, ChangePerson.pass, ChangePerson.isadmin, ChangePerson.id); db.ExecuteSQL(SQL); return true; @@ -95,6 +105,7 @@ bool DatabaseLayer::DeletePerson(Person RemovePerson) { CString SQL; + RemovePerson.id.Replace("'","\""); SQL.Format("DELETE FROM Person WHERE PersonID = '%s'", RemovePerson.id); db.ExecuteSQL(SQL); return true; @@ -103,6 +114,7 @@ bool DatabaseLayer::ReturnEquipment(CString barcode) { CString SQL; + barcode.Replace("'","\""); SQL.Format("UPDATE Udstyr SET Status = '3' WHERE Stregkode= '%s'", barcode); db.ExecuteSQL(SQL); @@ -116,6 +128,8 @@ bool DatabaseLayer::CheckoutEquipment(Person CheckPersID, Equipment CheckEquip, int Numdays) { CString SQL; + CheckEquip.barcode.Replace("'","\""); + CheckPersID.id.Replace("'","\""); SQL.Format("UPDATE Udstyr SET Status = '1' WHERE Stregkode = '%s' ", CheckEquip.barcode); db.ExecuteSQL(SQL); SQL.Format("INSERT INTO Udlån (PersonID, Stregkode, Startdato, Antaldage) VALUES( '%s','%s', GetDate(),'%d')", CheckPersID.id, CheckEquip.barcode, Numdays); @@ -126,6 +140,8 @@ bool DatabaseLayer::EquipmentReservation(CString barcode, Person CheckPerson) { CString SQL; + CheckPerson.id.Replace("'","\""); + barcode.Replace("'","\""); SQL.Format("INSERT INTO Resevation (PersonID, Stregkode, Startdato) VALUES( '%s','%s', GetDate())", CheckPerson.id, barcode); db.ExecuteSQL(SQL); checkReservations(barcode); @@ -135,6 +151,11 @@ bool DatabaseLayer::UpdateEquipment(Equipment CheckEquip) { CString SQL; + CheckEquip.name.Replace("'","\""); + CheckEquip.description.Replace("'","\""); + CheckEquip.placement.Replace("'","\""); + CheckEquip.status.Replace("'","\""); + CheckEquip.barcode.Replace("'","\""); SQL.Format("UPDATE Udstyr SET Navn = '%s', Beskrivelse = '%s', Placering = '%s', Status = '%s' WHERE Stregkode = '%s'", CheckEquip.name, CheckEquip.description, CheckEquip.placement, CheckEquip.status, CheckEquip.barcode); db.ExecuteSQL(SQL); return true; @@ -143,6 +164,10 @@ bool DatabaseLayer::AddEquipment(Equipment AddEquip) { CString SQL; + AddEquip.barcode.Replace("'","\""); + AddEquip.name.Replace("'","\""); + AddEquip.description.Replace("'","\""); + AddEquip.placement.Replace("'","\""); SQL.Format("INSERT into Udstyr(Stregkode, Navn, Beskrivelse, Placering, Status) VALUES('%s', '%s', '%s', '%s', '%s')",AddEquip.barcode, AddEquip.name, AddEquip.description, AddEquip.placement, "3"); db.ExecuteSQL(SQL); return true; @@ -184,6 +209,8 @@ CString SQL; + wantBarcode.Replace("'","\""); + Equipment e; SQL.Format("SELECT Stregkode,Navn,Udstyr.Beskrivelse,Placering,Status.Beskrivelse FROM Udstyr INNER JOIN Status ON Udstyr.Status = Status.StatusID Where (Stregkode = '%s')", wantBarcode); @@ -210,6 +237,7 @@ bool DatabaseLayer::DeleteEquipment(Equipment DelEquip) { CString SQL; + DelEquip.barcode.Replace("'","\""); SQL.Format("DELETE FROM Udstyr WHERE Stregkode = '%s'", DelEquip.barcode); db.ExecuteSQL(SQL); return true; @@ -221,6 +249,10 @@ { vector buffer; + barcode.Replace("'","\""); + name.Replace("'","\""); + inits.Replace("'","\""); + //here are the wanted equipments found through 3 seperate queries - I could also //find them all in one query where I joined the 3 selects via a UNION CString SQL; @@ -357,6 +389,7 @@ void DatabaseLayer::checkReservations(CString barcode) { CString scount,status; + barcode.Replace("'","\""); CString SQL = "SELECT count(*) FROM Resevation WHERE Resevation.Stregkode = '" + barcode + "'"; CRecordset rs(&db); rs.Open(AFX_DB_USE_DEFAULT_TYPE,SQL); @@ -382,6 +415,8 @@ //Developed by Torben H. Nielsen bool DatabaseLayer::DeleteReservation(CString barcode, CString resid) { + barcode.Replace("'","\""); + resid.Replace("'","\""); CString SQL = "DELETE FROM Resevation WHERE resevationid = " + resid; db.ExecuteSQL(SQL); checkReservations(barcode);