Fix static analysis issue

- Fix uninitialized local variable
- Fix sql injection

Change-Id: Ic0d572e2b0354ee237194d5ec3c5c1aafad3472d
Signed-off-by: Ilho Kim <ilho159.kim@samsung.com>

diff --git a/src/server/database/query_handler.cc b/src/server/database/query_handler.cc
index de0ce93..ef58fb4 100644 (file)
--- a/src/server/database/query_handler.cc
+++ b/src/server/database/query_handler.cc
@@ -250,7 +250,7 @@ int QueryHandler::Execute() {
   }
 
   std::vector<std::pair<sqlite3*, uid_t>> conn_list = GetConnection();
-  int ret;
+  int ret = PMINFO_R_ERROR;
   if (GetOpType() == pkgmgr_common::DBOperationType::OPERATION_TYPE_READ) {
     for (auto& conn : conn_list) {
       for (GList* it = args_list; it; it = it->next) {

diff --git a/src/server/initialize_db_internal.c b/src/server/initialize_db_internal.c
index 3c15ad2..c272c23 100644 (file)
--- a/src/server/initialize_db_internal.c
+++ b/src/server/initialize_db_internal.c
@@ -143,6 +143,7 @@ static int __set_db_version(sqlite3 *db) {
        static const char query_raw[] = "PRAGMA user_version=%Q";
        int ret;
        FILE *fp = NULL;
+       sqlite3_stmt *stmt;
        char version[PKG_STRING_LEN_MAX] = { 0 };
        char *query = NULL;
 
@@ -165,13 +166,21 @@ static int __set_db_version(sqlite3 *db) {
                return -1;
        }
 
-       ret = sqlite3_exec(db, query, NULL, NULL, NULL);
+       ret = sqlite3_prepare_v2(db, query, strlen(query), &stmt, NULL);
+       sqlite3_free(query);
        if (ret != SQLITE_OK) {
-               _LOGE("exec failed: %s", sqlite3_errmsg(db));
-               sqlite3_free(query);
+               _LOGE("prepare failed: %s", sqlite3_errmsg(db));
                return -1;
        }
-       sqlite3_free(query);
+
+       ret = sqlite3_step(stmt);
+       if (ret != SQLITE_DONE) {
+               _LOGE("sqlite3_step failed: %d", ret);
+               sqlite3_finalize(stmt);
+               return -1;
+       }
+
+       sqlite3_finalize(stmt);
 
        return 0;
 }