Created
October 14, 2014 08:17
-
-
Save kkdai/31732f96daa9fd6fb0f7 to your computer and use it in GitHub Desktop.
Add db_escape_string to fixed MySQL injection SQL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#include <queue> | |
#include <string> | |
#include <my_global.h> | |
#include <mysql.h> | |
#include <string.h> | |
#include <pthread.h> | |
#include <time.h> | |
#include "../myServerSetting.h" | |
#include <pthread.h> | |
using namespace std; | |
#define _DEBUG 1 | |
#if _DEBUG | |
#define DebugOut(...) {printf(__VA_ARGS__); fflush(stdout);} | |
#else | |
#define DebugOut(...) {;} | |
#endif | |
#define UDP_LISTEN_PORT 8120 | |
char *db_escape_string(string sql) | |
{ | |
char *s = new char[sql.size()*2 + 1]; | |
mysql_escape_string(s, const_cast<char *>(sql.c_str()), sql.size()); | |
return s; | |
} | |
void WriteLogFile(const char *Cmd,...) | |
{ | |
char szString[1024]; | |
va_list args; | |
va_start(args,Cmd); | |
vsprintf(szString,Cmd,args); | |
va_end(args); | |
time_t rawtime; | |
struct tm * timeinfo; | |
char date_buff [80]; | |
char time_buff [80]; | |
time (&rawtime); | |
timeinfo = localtime (&rawtime); | |
strftime (date_buff,80,"%F",timeinfo); | |
strftime (time_buff,80,"%r",timeinfo); | |
char *sting_to_file = new char[1024]; | |
sprintf(sting_to_file, "[%s %s]%s", date_buff, time_buff, szString); | |
char *file_name = new char[128]; | |
sprintf(file_name, "/var/log/ParingServer/%s-test.log", date_buff); | |
FILE* pFile = fopen(file_name, "a"); | |
fprintf(pFile, "%s\n",sting_to_file); | |
fclose(pFile); | |
delete sting_to_file; | |
delete file_name; | |
} | |
char* strupr(char *str) | |
{ | |
int len = strlen(str); | |
for(int i=0;i<len;i++) | |
{ | |
if ((str[i] <= 'z') && (str[i] >= 'a')) | |
str[i] = str[i] - 'a' + 'A'; | |
} | |
return str; | |
} | |
class MysqlObj{ | |
protected: | |
bool m_selfCreate; | |
char m_Cmd[1024]; | |
MYSQL_RES *m_Result; | |
public: | |
MYSQL *m_con; | |
MysqlObj(const char *server,const char *user,const char *password,const char *database) | |
{ | |
m_selfCreate=false; | |
m_Result = NULL; | |
m_con = mysql_init(NULL); | |
if (m_con == NULL) | |
{ | |
fprintf(stderr, "%s\n", mysql_error(m_con)); | |
} | |
if (mysql_real_connect(m_con, server, user, password, database, 0, NULL, 0) == NULL) | |
{ | |
fprintf(stderr, "%s\n", mysql_error(m_con)); | |
mysql_close(m_con); | |
m_con = NULL; | |
} | |
my_bool reconnect = 1; | |
mysql_options(m_con, MYSQL_OPT_RECONNECT, &reconnect); | |
m_selfCreate=true; | |
} | |
MysqlObj(const MYSQL *con,const char *server,const char *user,const char *password,const char * database) | |
{ | |
m_selfCreate=false; | |
m_Result = NULL; | |
if(con) | |
m_con = (MYSQL *)con; | |
else | |
MysqlObj(server, user, password, database); | |
} | |
~MysqlObj() | |
{ | |
if(m_Result) | |
mysql_free_result(m_Result); | |
if(m_con) | |
mysql_close(m_con); | |
} | |
bool MysqlCmd(const char *Cmd,...) | |
{ | |
va_list args; | |
va_start(args,Cmd); | |
vsprintf(m_Cmd,Cmd,args); | |
va_end(args); | |
printf("SQL cmd=%s \n", m_Cmd); | |
mysql_ping(m_con); | |
if (mysql_query(m_con, m_Cmd)==0) | |
return true; | |
fprintf(stderr, "%s\n", mysql_error(m_con)); | |
return false; | |
} | |
bool MysqlQuery(const char *Query,...) | |
{ | |
va_list args; | |
va_start(args,Query); | |
vsprintf(m_Cmd,Query,args); | |
va_end(args); | |
printf("SQL cmd=%s \n", m_Cmd); | |
if(m_Result) | |
mysql_free_result(m_Result); | |
mysql_ping(m_con); | |
if (mysql_query(m_con, m_Cmd)==0) | |
{ | |
m_Result = mysql_store_result(m_con); | |
if (m_Result) | |
return true; | |
} | |
fprintf(stderr, "%s\n", mysql_error(m_con)); | |
return false; | |
} | |
char *MysqlGetSingleResult() | |
{ | |
if(m_Result) | |
{ | |
MYSQL_ROW row; | |
row = mysql_fetch_row(m_Result); | |
if(row&&row[0]) | |
return row[0]; | |
} | |
return (char*)""; | |
} | |
}; | |
int main(int argc, char **argv) | |
{ | |
WriteLogFile("%s %s \n", "test", "Write"); | |
printf("Service Start..\n"); | |
const char * cmd_str = NULL; | |
if (argc > 1) { | |
cmd_str = argv[1]; | |
} else { | |
cmd_str = "s' OR '1'='1'"; //SQL Injection testing string. | |
} | |
fprintf(stderr, "Console cmd= %s\n", cmd_str); | |
MysqlObj *pMyObj = new MysqlObj("localhost", MYSQL_ID, MYSQL_PW, "jabberd2"); | |
if(pMyObj->MysqlQuery("SELECT status from status where `collection-owner`='%s'", db_escape_string(cmd_str) ) ) { | |
printf ("Found data \n"); | |
} | |
else | |
printf ("Don't have data \n"); | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment