aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/OpenSim/Data/MySQL
diff options
context:
space:
mode:
authorMelanie2009-12-26 23:38:11 +0000
committerMelanie2009-12-26 23:38:11 +0000
commit0369256720811e5247cbbe24b2f875cce259e01c (patch)
treee3dae213f6a95c919edcb9cf58a2a2283c89027f /OpenSim/Data/MySQL
parentAdd AvatarInterestsReply (diff)
downloadopensim-SC-0369256720811e5247cbbe24b2f875cce259e01c.zip
opensim-SC-0369256720811e5247cbbe24b2f875cce259e01c.tar.gz
opensim-SC-0369256720811e5247cbbe24b2f875cce259e01c.tar.bz2
opensim-SC-0369256720811e5247cbbe24b2f875cce259e01c.tar.xz
Close a SQL injection loophole in the new database driver
Diffstat (limited to 'OpenSim/Data/MySQL')
-rw-r--r--OpenSim/Data/MySQL/MySQLGenericTableHandler.cs5
1 files changed, 3 insertions, 2 deletions
diff --git a/OpenSim/Data/MySQL/MySQLGenericTableHandler.cs b/OpenSim/Data/MySQL/MySQLGenericTableHandler.cs
index 4dfc324..58b95d7 100644
--- a/OpenSim/Data/MySQL/MySQLGenericTableHandler.cs
+++ b/OpenSim/Data/MySQL/MySQLGenericTableHandler.cs
@@ -216,11 +216,12 @@ namespace OpenSim.Data.MySQL
216 foreach (KeyValuePair<string, string> kvp in data) 216 foreach (KeyValuePair<string, string> kvp in data)
217 { 217 {
218 names.Add(kvp.Key); 218 names.Add(kvp.Key);
219 values.Add(kvp.Value); 219 values.Add("?" + kvp.Key);
220 cmd.Parameters.AddWithValue("?" + kvp.Key, kvp.Value);
220 } 221 }
221 } 222 }
222 223
223 query = String.Format("replace into {0} (`", m_Realm) + String.Join("`,`", names.ToArray()) + "`) values ('" + String.Join("','", values.ToArray()) + "')"; 224 query = String.Format("replace into {0} (`", m_Realm) + String.Join("`,`", names.ToArray()) + "`) values (" + String.Join(",", values.ToArray()) + ")";
224 225
225 cmd.CommandText = query; 226 cmd.CommandText = query;
226 227