[Non-ACR][SQL Injection Attack - Static Query]

Change-Id: I73ce9a3c8864e9236a308d281c3b364c2669e4d7
Signed-off-by: Abhishek Vijay <abhishek.v@samsung.com>

diff --git a/include/Database.h b/include/Database.h
index ea9c470..71a0fc0 100644 (file)
--- a/include/Database.h
+++ b/include/Database.h
@@ -59,7 +59,10 @@ namespace ctx {
 
                bool open();
                void close();
+               sqlite3_stmt* prepare_query(char *query);
+               bool query_bind_text(sqlite3_stmt* pStmt, int pos, const char *app_id);
 
+               bool execute(sqlite3_stmt* pStmt);
                bool execute(const std::string& query, const std::string& columnTypes, std::vector<std::string>* columnNames, std::vector<std::shared_ptr<Tuple>>* queryResult);
                bool execute(const std::string& query, std::vector<std::shared_ptr<Tuple>>* queryResult);
 

diff --git a/src/server/Database.cpp b/src/server/Database.cpp
index e41e8d6..910dfb2 100644 (file)
--- a/src/server/Database.cpp
+++ b/src/server/Database.cpp
@@ -149,6 +149,69 @@ static int __executionCb(void *userData, int dim, char** value, char** column)
        return E_NONE;
 }
 
+bool Database::query_bind_text(sqlite3_stmt* pStmt, int pos, const char *app_id)
+{
+       _I("query_bind_text");
+
+       IF_FAIL_RETURN_TAG(pStmt, false, _E, "prepared statement is NULL");
+       IF_FAIL_RETURN_TAG(app_id, NULL, _E, "app_id is NULL");
+
+       int rc = -1;
+
+       rc = sqlite3_bind_text(pStmt, pos, app_id, strlen(app_id), SQLITE_STATIC);
+
+       IF_FAIL_RETURN_TAG((SQLITE_OK == rc), false, _E, "sqlite3_bind_text fail, rc : %d\n", rc);
+
+       return true;
+}
+
+sqlite3_stmt* Database::prepare_query(char *query)
+{
+       _I("prepare_query");
+
+       IF_FAIL_RETURN_TAG(__dbHandle, NULL, _E, "Not opened");
+       IF_FAIL_RETURN_TAG(query, NULL, _E, "query is NULL");
+
+       int rc = -1;
+       sqlite3_stmt* pStmt = NULL;
+
+       rc = sqlite3_prepare_v2(__dbHandle, query, strlen(query), &pStmt, NULL);
+
+       IF_FAIL_RETURN_TAG((SQLITE_OK == rc), NULL, _E, "sqlite3_prepare_v2 fail, rc : %d\n", rc);
+
+       return pStmt;
+}
+
+bool Database::execute(sqlite3_stmt* pStmt)
+{
+       _I("execute with prepared statement");
+
+       IF_FAIL_RETURN_TAG(pStmt, false, _E, "prepared statement is NULL");
+
+       int rc = -1;
+
+       rc = sqlite3_step(pStmt);
+       if (rc != SQLITE_DONE) {
+               _E("sqlite3_step fail, rc : %d\n", rc);
+       } else {
+               _I("sqlite3_step Success");
+       }
+
+       rc = sqlite3_finalize(pStmt);
+       if (rc == SQLITE_BUSY) {
+               _E("sqlite3 busy = %d", rc);
+               goto END;
+       } else if (rc != SQLITE_OK) {
+               _E("sqlite3_finalize fail, rc : %d\n", rc);
+               goto END;
+       }
+
+       _I("sqlite3_finalize Success");
+       return true;
+END:
+       return false;
+}
+
 bool Database::execute(const std::string& query, const std::string& columnTypes,
                std::vector<std::string>* columnNames, std::vector<shared_ptr<Tuple>>* queryResult)
 {