Close a SQL injection loophole in the new database driver

mysql-performance
Melanie 2009-12-26 23:38:11 +00:00
parent 88b3b98811
commit 0369256720
1 changed files with 3 additions and 2 deletions

View File

@ -216,11 +216,12 @@ namespace OpenSim.Data.MySQL
foreach (KeyValuePair<string, string> kvp in data) foreach (KeyValuePair<string, string> kvp in data)
{ {
names.Add(kvp.Key); names.Add(kvp.Key);
values.Add(kvp.Value); values.Add("?" + kvp.Key);
cmd.Parameters.AddWithValue("?" + kvp.Key, kvp.Value);
} }
} }
query = String.Format("replace into {0} (`", m_Realm) + String.Join("`,`", names.ToArray()) + "`) values ('" + String.Join("','", values.ToArray()) + "')"; query = String.Format("replace into {0} (`", m_Realm) + String.Join("`,`", names.ToArray()) + "`) values (" + String.Join(",", values.ToArray()) + ")";
cmd.CommandText = query; cmd.CommandText = query;