kkdai/MySQL_Fixed_Injection.cpp

## MySQL_Fixed_Injection.cpp
#include <queue>
#include <string>

#include <my_global.h>
#include <mysql.h>
#include <string.h>

#include <pthread.h>
#include <time.h>

#include "../myServerSetting.h"
#include <pthread.h>

using namespace std;

#define _DEBUG 1

#if _DEBUG
    #define DebugOut(...) {printf(__VA_ARGS__); fflush(stdout);}
#else
    #define DebugOut(...) {;}
#endif

#define UDP_LISTEN_PORT 8120

char *db_escape_string(string sql)
{
	char *s = new char[sql.size()*2 + 1];
	mysql_escape_string(s, const_cast<char *>(sql.c_str()), sql.size());
	return s;
}

void WriteLogFile(const char *Cmd,...)
{
	char szString[1024];
	va_list args;
	va_start(args,Cmd);
	vsprintf(szString,Cmd,args);
	va_end(args);

	time_t rawtime;
	struct tm * timeinfo;
	char date_buff [80];
	char time_buff [80];

	time (&rawtime);
	timeinfo = localtime (&rawtime);
	strftime (date_buff,80,"%F",timeinfo);
	strftime (time_buff,80,"%r",timeinfo);

	char *sting_to_file = new char[1024];
	sprintf(sting_to_file, "[%s %s]%s", date_buff, time_buff, szString);

	char *file_name = new char[128];
	sprintf(file_name, "/var/log/ParingServer/%s-test.log", date_buff);

	FILE* pFile = fopen(file_name, "a");
	fprintf(pFile, "%s\n",sting_to_file);

	fclose(pFile);
	delete sting_to_file;
	delete file_name;
}

char* strupr(char *str)
{
	int len = strlen(str);

	for(int i=0;i<len;i++)
	{
		if ((str[i] <= 'z') && (str[i] >= 'a'))
			str[i] = str[i] - 'a' + 'A';
	}
	return str;
}

class MysqlObj{

protected:

	bool m_selfCreate;
	char m_Cmd[1024];
	MYSQL_RES *m_Result;

public:
	MYSQL *m_con;
	MysqlObj(const char *server,const char *user,const char *password,const char *database)
	{
		m_selfCreate=false;
		m_Result = NULL;
		m_con = mysql_init(NULL);

		if (m_con == NULL)
		{
			fprintf(stderr, "%s\n", mysql_error(m_con));
		}

		if (mysql_real_connect(m_con, server, user, password, database, 0, NULL, 0) == NULL)
		{
			fprintf(stderr, "%s\n", mysql_error(m_con));
			mysql_close(m_con);
			m_con = NULL;
  		}
		my_bool reconnect = 1;
		mysql_options(m_con, MYSQL_OPT_RECONNECT, &reconnect);
		m_selfCreate=true;
	}

	MysqlObj(const MYSQL *con,const char *server,const char *user,const char *password,const char * database)
	{
		m_selfCreate=false;
        	m_Result = NULL;
		if(con)
			m_con = (MYSQL *)con;
		else
			MysqlObj(server, user, password, database);
	}

	~MysqlObj()
	{
   		if(m_Result)
			mysql_free_result(m_Result);
		if(m_con)
    			mysql_close(m_con);
	}

	bool MysqlCmd(const char *Cmd,...)
	{
		va_list args;
		va_start(args,Cmd);
		vsprintf(m_Cmd,Cmd,args);
		va_end(args);

		printf("SQL cmd=%s \n", m_Cmd);

		mysql_ping(m_con);
  		if (mysql_query(m_con, m_Cmd)==0)
			return true;
		fprintf(stderr, "%s\n", mysql_error(m_con));
		return false;
	}

	bool MysqlQuery(const char *Query,...)
	{
		va_list args;
		va_start(args,Query);
		vsprintf(m_Cmd,Query,args);
		va_end(args);

		printf("SQL cmd=%s \n", m_Cmd);
		if(m_Result)
			mysql_free_result(m_Result);

		mysql_ping(m_con);
  		if (mysql_query(m_con, m_Cmd)==0)
  		{
   			m_Result = mysql_store_result(m_con);
   			if (m_Result)
				return true;
		}
		fprintf(stderr, "%s\n", mysql_error(m_con));
		return false;
	}

	char *MysqlGetSingleResult()
	{
		if(m_Result)
		{
      		MYSQL_ROW row;

      		row = mysql_fetch_row(m_Result);
			if(row&&row[0])
				return row[0];
		}
		return (char*)"";
	}
};

int main(int argc, char **argv)
{
	WriteLogFile("%s %s \n", "test", "Write");

	printf("Service Start..\n");

	const char * cmd_str = NULL;
	if (argc > 1) {
		cmd_str = argv[1];
	} else {
		cmd_str = "s' OR '1'='1'";	//SQL Injection testing string.
	}
	fprintf(stderr, "Console cmd= %s\n", cmd_str);

	MysqlObj *pMyObj =  new MysqlObj("localhost", MYSQL_ID, MYSQL_PW, "jabberd2");


	if(pMyObj->MysqlQuery("SELECT status from status where `collection-owner`='%s'", db_escape_string(cmd_str) ) )  {
		printf ("Found data \n");
	}
	else
		printf ("Don't have data \n");
}
	#include <queue>
	#include <string>

	#include <my_global.h>
	#include <mysql.h>
	#include <string.h>

	#include <pthread.h>
	#include <time.h>

	#include "../myServerSetting.h"
	#include <pthread.h>

	using namespace std;

	#define _DEBUG 1

	#if _DEBUG
	#define DebugOut(...) {printf(__VA_ARGS__); fflush(stdout);}
	#else
	#define DebugOut(...) {;}
	#endif

	#define UDP_LISTEN_PORT 8120

	char *db_escape_string(string sql)
	{
	char s = new char[sql.size()2 + 1];
	mysql_escape_string(s, const_cast<char *>(sql.c_str()), sql.size());
	return s;
	}

	void WriteLogFile(const char *Cmd,...)
	{
	char szString[1024];
	va_list args;
	va_start(args,Cmd);
	vsprintf(szString,Cmd,args);
	va_end(args);

	time_t rawtime;
	struct tm * timeinfo;
	char date_buff [80];
	char time_buff [80];

	time (&rawtime);
	timeinfo = localtime (&rawtime);
	strftime (date_buff,80,"%F",timeinfo);
	strftime (time_buff,80,"%r",timeinfo);

	char *sting_to_file = new char[1024];
	sprintf(sting_to_file, "[%s %s]%s", date_buff, time_buff, szString);

	char *file_name = new char[128];
	sprintf(file_name, "/var/log/ParingServer/%s-test.log", date_buff);

	FILE* pFile = fopen(file_name, "a");
	fprintf(pFile, "%s\n",sting_to_file);

	fclose(pFile);
	delete sting_to_file;
	delete file_name;
	}

	char* strupr(char *str)
	{
	int len = strlen(str);

	for(int i=0;i<len;i++)
	{
	if ((str[i] <= 'z') && (str[i] >= 'a'))
	str[i] = str[i] - 'a' + 'A';
	}
	return str;
	}

	class MysqlObj{

	protected:

	bool m_selfCreate;
	char m_Cmd[1024];
	MYSQL_RES *m_Result;

	public:
	MYSQL *m_con;
	MysqlObj(const char server,const char user,const char password,const char database)
	{
	m_selfCreate=false;
	m_Result = NULL;
	m_con = mysql_init(NULL);

	if (m_con == NULL)
	{
	fprintf(stderr, "%s\n", mysql_error(m_con));
	}

	if (mysql_real_connect(m_con, server, user, password, database, 0, NULL, 0) == NULL)
	{
	fprintf(stderr, "%s\n", mysql_error(m_con));
	mysql_close(m_con);
	m_con = NULL;
	}
	my_bool reconnect = 1;
	mysql_options(m_con, MYSQL_OPT_RECONNECT, &reconnect);
	m_selfCreate=true;
	}

	MysqlObj(const MYSQL con,const char server,const char user,const char password,const char * database)
	{
	m_selfCreate=false;
	m_Result = NULL;
	if(con)
	m_con = (MYSQL *)con;
	else
	MysqlObj(server, user, password, database);
	}

	~MysqlObj()
	{
	if(m_Result)
	mysql_free_result(m_Result);
	if(m_con)
	mysql_close(m_con);
	}

	bool MysqlCmd(const char *Cmd,...)
	{
	va_list args;
	va_start(args,Cmd);
	vsprintf(m_Cmd,Cmd,args);
	va_end(args);

	printf("SQL cmd=%s \n", m_Cmd);

	mysql_ping(m_con);
	if (mysql_query(m_con, m_Cmd)==0)
	return true;
	fprintf(stderr, "%s\n", mysql_error(m_con));
	return false;
	}

	bool MysqlQuery(const char *Query,...)
	{
	va_list args;
	va_start(args,Query);
	vsprintf(m_Cmd,Query,args);
	va_end(args);

	printf("SQL cmd=%s \n", m_Cmd);
	if(m_Result)
	mysql_free_result(m_Result);

	mysql_ping(m_con);
	if (mysql_query(m_con, m_Cmd)==0)
	{
	m_Result = mysql_store_result(m_con);
	if (m_Result)
	return true;
	}
	fprintf(stderr, "%s\n", mysql_error(m_con));
	return false;
	}

	char *MysqlGetSingleResult()
	{
	if(m_Result)
	{
	MYSQL_ROW row;

	row = mysql_fetch_row(m_Result);
	if(row&&row[0])
	return row[0];
	}
	return (char*)"";
	}
	};

	int main(int argc, char **argv)
	{
	WriteLogFile("%s %s \n", "test", "Write");

	printf("Service Start..\n");

	const char * cmd_str = NULL;
	if (argc > 1) {
	cmd_str = argv[1];
	} else {
	cmd_str = "s' OR '1'='1'"; //SQL Injection testing string.
	}
	fprintf(stderr, "Console cmd= %s\n", cmd_str);

	MysqlObj *pMyObj = new MysqlObj("localhost", MYSQL_ID, MYSQL_PW, "jabberd2");


	if(pMyObj->MysqlQuery("SELECT status from status where `collection-owner`='%s'", db_escape_string(cmd_str) ) ) {
	printf ("Found data \n");
	}
	else
	printf ("Don't have data \n");
	}