From d6a47a6d7e69fb7abebb1482bc965bd2cb4fae13 Mon Sep 17 00:00:00 2001 From: louis Date: Sat, 24 Aug 2013 08:53:37 +0200 Subject: escaped some select statements correctly --- HISTORY | 7 +++++++ tvscraperdb.c | 38 ++++++++++++++++++++++++++++++++------ tvscraperdb.h | 1 + 3 files changed, 40 insertions(+), 6 deletions(-) diff --git a/HISTORY b/HISTORY index f816225..cd1075d 100644 --- a/HISTORY +++ b/HISTORY @@ -4,3 +4,10 @@ VDR Plugin 'tvscraper' Revision History 2013-07-26: Version 0.0.1 - Initial revision. + +2013-08-24: Version 0.0.2 + +- renamed plugin to "tvscraper" +- removed unnecessary string in ScrapRecordings +- Correctly escaped select statements with movie + or series titles diff --git a/tvscraperdb.c b/tvscraperdb.c index e89be33..245e43e 100644 --- a/tvscraperdb.c +++ b/tvscraperdb.c @@ -51,6 +51,34 @@ vector > cTVScraperDB::Query(string query) { return results; } +vector > cTVScraperDB::QueryEscaped(string query, string where) { + sqlite3_stmt *statement; + vector > results; + if(sqlite3_prepare_v2(db, query.c_str(), -1, &statement, 0) == SQLITE_OK) { + sqlite3_bind_text(statement, 1, where.c_str(), -1, SQLITE_TRANSIENT); + int cols = sqlite3_column_count(statement); + int result = 0; + while(true) { + result = sqlite3_step(statement); + if(result == SQLITE_ROW) { + vector values; + for(int col = 0; col < cols; col++) { + values.push_back((char*)sqlite3_column_text(statement, col)); + } + results.push_back(values); + } else { + break; + } + } + sqlite3_finalize(statement); + } + string error = sqlite3_errmsg(db); + if(error != "not an error") { + esyslog("tvscraper: query failed: %s , error: %s", query.c_str(), error.c_str()); + } + return results; +} + bool cTVScraperDB::Connect(void) { if (inMem) { if (sqlite3_open(dbPathMem.c_str(),&db)!=SQLITE_OK) { @@ -395,9 +423,8 @@ bool cTVScraperDB::SeriesExists(int seriesID) { } int cTVScraperDB::SearchMovie(string movieTitle) { - stringstream sql; - sql << "select movie_id from movies where movie_title='" << movieTitle.c_str() << "'"; - vector > result = Query(sql.str()); + string sql = "select movie_id from movies where movie_title=?"; + vector > result = QueryEscaped(sql, movieTitle); int movieID = 0; if (result.size() > 0) { vector >::iterator it = result.begin(); @@ -410,9 +437,8 @@ int cTVScraperDB::SearchMovie(string movieTitle) { } int cTVScraperDB::SearchSeries(string seriesTitle) { - stringstream sql; - sql << "select series_id from series where series_name='" << seriesTitle.c_str() << "'"; - vector > result = Query(sql.str()); + string sql = "select series_id from series where series_name=?"; + vector > result = QueryEscaped(sql, seriesTitle); int seriesID = 0; if (result.size() > 0) { vector >::iterator it = result.begin(); diff --git a/tvscraperdb.h b/tvscraperdb.h index a8f06ee..fa9c58d 100644 --- a/tvscraperdb.h +++ b/tvscraperdb.h @@ -12,6 +12,7 @@ private: string dbPathMem; bool inMem; vector > Query(string query); + vector > QueryEscaped(string query, string where); int LoadOrSaveDb(sqlite3 *pInMemory, const char *zFilename, int isSave); bool CreateTables(void); public: -- cgit v1.2.3