Skip to content

Commit

Permalink
Remove potential SQL injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@antoineatstariongroup
antoineatstariongroup committed Jan 20, 2025
1 parent 7be1a27 commit dc1760e
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions CometServer/Modules/10-25/ExchangeFileImportApi.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1077,15 +1077,16 @@ private void DropDataStoreAndPrepareNew(IDataStoreController dataStoreController
connection.Open();

// Drop the existing database
using (var cmd = new NpgsqlCommand())
using (var cmd = new NpgsqlCommand("", connection))
{
this.logger.LogDebug("Drop the data store");

dataStoreController.DropDataStoreConnections(backtierConfig.Database, connection);

cmd.Connection = connection;

cmd.CommandText = $"DROP DATABASE IF EXISTS {backtierConfig.Database};";
cmd.CommandText = "DROP DATABASE IF EXISTS (@databaseName);";
cmd.Parameters.AddWithValue("databaseName", backtierConfig.Database);

cmd.ExecuteNonQuery();
}
Expand All @@ -1096,8 +1097,8 @@ private void DropDataStoreAndPrepareNew(IDataStoreController dataStoreController
this.logger.LogDebug("Drop the restore data store");

cmd.Connection = connection;

cmd.CommandText = $"DROP DATABASE IF EXISTS {backtierConfig.DatabaseRestore};";
cmd.CommandText = "DROP DATABASE IF EXISTS (@databaseRestoreName);";
cmd.Parameters.AddWithValue("databaseRestoreName", backtierConfig.DatabaseRestore);

cmd.ExecuteNonQuery();
}
Expand All @@ -1107,8 +1108,11 @@ private void DropDataStoreAndPrepareNew(IDataStoreController dataStoreController
{
this.logger.LogDebug("Create the data store");
cmd.Connection = connection;

cmd.CommandText = $"CREATE DATABASE {backtierConfig.Database} WITH OWNER = {backtierConfig.UserName} TEMPLATE = {backtierConfig.DatabaseManage} ENCODING = 'UTF8';";

cmd.CommandText = "CREATE DATABSE (@databaseName) WITH OWNER = (@owner) TEMPLATE = (@databaseManager) ENCODING = UTF8;";
cmd.Parameters.AddWithValue("databaseName", backtierConfig.Database);
cmd.Parameters.AddWithValue("owner", backtierConfig.UserName);
cmd.Parameters.AddWithValue("databaseManager", backtierConfig.DatabaseManage);

cmd.ExecuteNonQuery();
}
Expand Down

0 comments on commit dc1760e

Please sign in to comment.