From d32d25634d0a8d257ed3d05abb9e6c70d086b3f5 Mon Sep 17 00:00:00 2001 From: Justin Clark-Casey (justincc) Date: Thu, 15 May 2014 22:09:37 +0100 Subject: Escape find string in MySQL core groups plugin --- OpenSim/Data/MySQL/MySQLGroupsData.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'OpenSim/Data') diff --git a/OpenSim/Data/MySQL/MySQLGroupsData.cs b/OpenSim/Data/MySQL/MySQLGroupsData.cs index 8e39229..afa499e 100644 --- a/OpenSim/Data/MySQL/MySQLGroupsData.cs +++ b/OpenSim/Data/MySQL/MySQLGroupsData.cs @@ -88,7 +88,7 @@ namespace OpenSim.Data.MySQL if (string.IsNullOrEmpty(pattern)) pattern = "1"; else - pattern = string.Format("Name LIKE '%{0}%'", pattern); + pattern = string.Format("Name LIKE '%{0}%'", MySqlHelper.EscapeString(pattern)); return m_Groups.Get(string.Format("ShowInList=1 AND ({0}) ORDER BY Name LIMIT 100", pattern)); } -- cgit v1.1 From 6dc1b113d0a7cdf3d7b6d567728d39568f1ed982 Mon Sep 17 00:00:00 2001 From: Justin Clark-Casey (justincc) Date: Thu, 15 May 2014 22:45:01 +0100 Subject: Escape find string in PgSQL core groups plugin --- OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs | 18 ++++++++++++++++++ OpenSim/Data/PGSQL/PGSQLGroupsData.cs | 10 +++++++--- 2 files changed, 25 insertions(+), 3 deletions(-) (limited to 'OpenSim/Data') diff --git a/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs b/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs index 2151568..826c6fc 100644 --- a/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs +++ b/OpenSim/Data/PGSQL/PGSQLGenericTableHandler.cs @@ -300,9 +300,27 @@ namespace OpenSim.Data.PGSQL m_Realm, where); cmd.Connection = conn; cmd.CommandText = query; + //m_log.WarnFormat("[PGSQLGenericTable]: SELECT {0} WHERE {1}", m_Realm, where); + + conn.Open(); + return DoQuery(cmd); + } + } + public virtual T[] Get(string where, NpgsqlParameter parameter) + { + using (NpgsqlConnection conn = new NpgsqlConnection(m_ConnectionString)) + using (NpgsqlCommand cmd = new NpgsqlCommand()) + { + + string query = String.Format("SELECT * FROM {0} WHERE {1}", + m_Realm, where); + cmd.Connection = conn; + cmd.CommandText = query; //m_log.WarnFormat("[PGSQLGenericTable]: SELECT {0} WHERE {1}", m_Realm, where); + cmd.Parameters.Add(parameter); + conn.Open(); return DoQuery(cmd); } diff --git a/OpenSim/Data/PGSQL/PGSQLGroupsData.cs b/OpenSim/Data/PGSQL/PGSQLGroupsData.cs index ed75b63..15c965b 100644 --- a/OpenSim/Data/PGSQL/PGSQLGroupsData.cs +++ b/OpenSim/Data/PGSQL/PGSQLGroupsData.cs @@ -83,11 +83,15 @@ namespace OpenSim.Data.PGSQL public GroupData[] RetrieveGroups(string pattern) { if (string.IsNullOrEmpty(pattern)) // True for where clause + { pattern = " true ORDER BY lower(\"Name\") LIMIT 100"; + return m_Groups.Get(pattern); + } else - pattern = string.Format(" lower(\"Name\") LIKE lower('%{0}%') ORDER BY lower(\"Name\") LIMIT 100", pattern); - - return m_Groups.Get(pattern); + { + pattern = string.Format(" lower(\"Name\") LIKE lower('%:pattern%') ORDER BY lower(\"Name\") LIMIT 100"); + return m_Groups.Get(pattern, new NpgsqlParameter("pattern", pattern)); + } } public bool DeleteGroup(UUID groupID) -- cgit v1.1 From 4a74c4533c80403a664a761dbc871e52e3e7788e Mon Sep 17 00:00:00 2001 From: Justin Clark-Casey (justincc) Date: Thu, 15 May 2014 22:51:47 +0100 Subject: minor: eliminate now unnecessary string.Format in postgresql RetrieveGroups method --- OpenSim/Data/PGSQL/PGSQLGroupsData.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'OpenSim/Data') diff --git a/OpenSim/Data/PGSQL/PGSQLGroupsData.cs b/OpenSim/Data/PGSQL/PGSQLGroupsData.cs index 15c965b..669e3c8 100644 --- a/OpenSim/Data/PGSQL/PGSQLGroupsData.cs +++ b/OpenSim/Data/PGSQL/PGSQLGroupsData.cs @@ -89,7 +89,7 @@ namespace OpenSim.Data.PGSQL } else { - pattern = string.Format(" lower(\"Name\") LIKE lower('%:pattern%') ORDER BY lower(\"Name\") LIMIT 100"); + pattern = " lower(\"Name\") LIKE lower('%:pattern%') ORDER BY lower(\"Name\") LIMIT 100"; return m_Groups.Get(pattern, new NpgsqlParameter("pattern", pattern)); } } -- cgit v1.1