added tables to prepared statements to hinder injections

author: Daniel Langesten <daniel.langest@gmail.com> 2015-03-24 14:02:13 +0100
committer: Daniel Langesten <daniel.langest@gmail.com> 2015-03-24 14:02:13 +0100
commit: 88301b03ea26ce8cb18c3ab5c32618f0e1489230 (patch)
tree: cd2802db99bf9d04b3c46153734237f1ae747a65
parent: e031626c756d6dce1eca4ac9854332d507401a53 (diff)
1 files changed, 23 insertions, 22 deletions
diff --git a/sqlQueries.go b/sqlQueries.go
index 79b3847..e3b49d4 100644
--- a/sqlQueries.go
+++ b/sqlQueries.go
@@ -26,9 +26,9 @@ func fetchRawData(db *sql.DB, cfg *Config, tim time.Time) (rDat []RawData, err e
 
 	var prepSel *sql.Stmt
 	if cfg.Limit > 0 {
-		prepSel, err = db.Prepare("SELECT ip_src,ip_dst,as_src,as_dst,port_src,port_dst,packets,pkt_len_distrib,stamp_inserted FROM " + cfg.RawTable + " WHERE stamp_processed IS NULL AND stamp_inserted < ? LIMIT ?")
+		prepSel, err = db.Prepare("SELECT ip_src,ip_dst,as_src,as_dst,port_src,port_dst,packets,pkt_len_distrib,stamp_inserted FROM ? WHERE stamp_processed IS NULL AND stamp_inserted < ? LIMIT ?")
 	} else {
-		prepSel, err = db.Prepare("SELECT ip_src,ip_dst,as_src,as_dst,port_src,port_dst,packets,pkt_len_distrib,stamp_inserted FROM " + cfg.RawTable + " WHERE stamp_processed IS NULL AND stamp_inserted < ?")
+		prepSel, err = db.Prepare("SELECT ip_src,ip_dst,as_src,as_dst,port_src,port_dst,packets,pkt_len_distrib,stamp_inserted FROM ? WHERE stamp_processed IS NULL AND stamp_inserted < ?")
 	}
 	if err != nil {
 		slogger.Println("Failed to prepare select")
@@ -37,9 +37,9 @@ func fetchRawData(db *sql.DB, cfg *Config, tim time.Time) (rDat []RawData, err e
 
 	var rows *sql.Rows
 	if cfg.Limit > 0 {
-		rows, err = prepSel.Query(tim, cfg.Limit)
+		rows, err = prepSel.Query(cfg.RawTable, tim, cfg.Limit)
 	} else {
-		rows, err = prepSel.Query(tim)
+		rows, err = prepSel.Query(cfg.RawTable, tim)
 	}
 	if err != nil {
 		slogger.Println("Failed to query prepared selection")
@@ -53,7 +53,7 @@ func fetchRawData(db *sql.DB, cfg *Config, tim time.Time) (rDat []RawData, err e
 		return
 	}
 
-	prepUp, err := tx.Prepare("UPDATE " + cfg.RawTable + " SET stamp_processed = ? where ip_src = ? AND ip_dst = ? AND as_src = ? AND as_dst = ? AND port_src = ? AND port_dst = ? AND packets = ? AND pkt_len_distrib = ? AND stamp_inserted = ?")
+	prepUp, err := tx.Prepare("UPDATE ? SET stamp_processed = ? where ip_src = ? AND ip_dst = ? AND as_src = ? AND as_dst = ? AND port_src = ? AND port_dst = ? AND packets = ? AND pkt_len_distrib = ? AND stamp_inserted = ?")
 	if err != nil {
 		slogger.Println("Failed to prepare update")
 		return
@@ -78,7 +78,7 @@ func fetchRawData(db *sql.DB, cfg *Config, tim time.Time) (rDat []RawData, err e
 			return
 		}
 
-		_, err = prepUp.Exec(time.Now(), r.Ip_src, r.Ip_dst, r.As_src, r.As_dst, r.Port_src, r.Port_dst, r.Packets, r.Pkt_len_distrib, tim)
+		_, err = prepUp.Exec(cfg.RawTable, time.Now(), r.Ip_src, r.Ip_dst, r.As_src, r.As_dst, r.Port_src, r.Port_dst, r.Packets, r.Pkt_len_distrib, tim)
 		if err != nil {
 			slogger.Println("Failed to query prepared update")
 			tx.Rollback()
@@ -93,35 +93,36 @@ func fetchRawData(db *sql.DB, cfg *Config, tim time.Time) (rDat []RawData, err e
 
 //Removes the stamp_processed from every entry that started being proccesed before tim
 func reprocess(db *sql.DB, cfg *Config, tim time.Time) (err error) {
-	stmt, err := db.Prepare("UPDATE " + cfg.RawTable + " SET stamp_processed = NULL WHERE stamp_processed < ?")
+	//TODO cfg.tabledable needs to go in a prepared statement
+	stmt, err := db.Prepare("UPDATE ? SET stamp_processed = NULL WHERE stamp_processed < ?")
 	if err != nil {
 		return
 	}
-	_, err = stmt.Exec(tim)
+	_, err = stmt.Exec(cfg.RawTable, tim)
 
 	return
 }
 
 //Removes all entries in the database that started being processed before tim
 func purgeAllProcessed(db *sql.DB, cfg *Config, tim time.Time) (err error) {
-	stmt, err := db.Prepare("DELETE FROM " + cfg.RawTable + " WHERE stamp_processed < ? ")
+	stmt, err := db.Prepare("DELETE FROM ? WHERE stamp_processed < ? ")
 	if err != nil {
 		return
 	}
-	_, err = stmt.Exec(tim)
+	_, err = stmt.Exec(cfg.RawTable, tim)
 
 	return
 }
 
 //Removes all Rawdata that is in rDat from the database
 func purgeRawData(tx *sql.Tx, cfg *Config, rDat []RawData) (err error) {
-	prepStmt, err := tx.Prepare("DELETE FROM " + cfg.RawTable + " WHERE ip_src = ? AND ip_dst = ? AND as_src = ? AND as_dst = ? AND port_src = ? AND port_dst = ? AND packets = ? AND pkt_len_distrib = ? AND stamp_processed IS NOT NULL LIMIT 1")
+	prepStmt, err := tx.Prepare("DELETE FROM ? WHERE ip_src = ? AND ip_dst = ? AND as_src = ? AND as_dst = ? AND port_src = ? AND port_dst = ? AND packets = ? AND pkt_len_distrib = ? AND stamp_processed IS NOT NULL LIMIT 1")
 	if err != nil {
 		return
 	}
 
 	for _, r := range rDat {
-		_, err = prepStmt.Exec(r.Ip_src, r.Ip_dst, r.As_src, r.As_dst, r.Port_src, r.Port_dst, r.Packets, r.Pkt_len_distrib)
+		_, err = prepStmt.Exec(cfg.RawTable, r.Ip_src, r.Ip_dst, r.As_src, r.As_dst, r.Port_src, r.Port_dst, r.Packets, r.Pkt_len_distrib)
 		if err != nil {
 			return
 		}
@@ -130,14 +131,14 @@ func purgeRawData(tx *sql.Tx, cfg *Config, rDat []RawData) (err error) {
 }
 
 func insertCleanData(tx *sql.Tx, cfg *Config, cd []cleanedData) error {
-	prepStmt, err := tx.Prepare("INSERT INTO " + cfg.CleanTable + " (ipb_src, ipb_dst, as_src, as_dst, port_src, port_dst, occurences, volume, time_added) VALUES ( ? , ? , ? , ? , ? , ? , ? , ? , ? ) ON DUPLICATE KEY UPDATE occurences = occurences + ?")
+	prepStmt, err := tx.Prepare("INSERT INTO ? (ipb_src, ipb_dst, as_src, as_dst, port_src, port_dst, occurences, volume, time_added) VALUES ( ? , ? , ? , ? , ? , ? , ? , ? , ? ) ON DUPLICATE KEY UPDATE occurences = occurences + ?")
 	if err != nil {
 		slogger.Println("Failed to prepare statement")
 		return err
 	}
 
 	for ix := range cd {
-		_, err = prepStmt.Exec(cd[ix].ipbSrc, cd[ix].ipbDst, cd[ix].asSrc, cd[ix].asDst, cd[ix].portSrc, cd[ix].portDst, cd[ix].occurences, cd[ix].volume, cd[ix].time, cd[ix].occurences)
+		_, err = prepStmt.Exec(cfg.CleanTable, cd[ix].ipbSrc, cd[ix].ipbDst, cd[ix].asSrc, cd[ix].asDst, cd[ix].portSrc, cd[ix].portDst, cd[ix].occurences, cd[ix].volume, cd[ix].time, cd[ix].occurences)
 		if err != nil {
 			slogger.Println("Failed to execute statement")
 			return err
@@ -155,14 +156,14 @@ func insertCleanDataToDB(cfg *Config, cd []cleanedData) error {
 	}
 	defer db.Close()
 
-	prepStmt, err := db.Prepare("INSERT INTO " + cfg.CleanTable + " (ipb_src, ipb_dst, as_src, as_dst, port_src, port_dst, occurences, volume, time_added) VALUES ( ? , ? , ? , ? , ? , ? , ? , ? , ? ) ON DUPLICATE KEY UPDATE occurences = occurences + ?")
+	prepStmt, err := db.Prepare("INSERT INTO ? (ipb_src, ipb_dst, as_src, as_dst, port_src, port_dst, occurences, volume, time_added) VALUES ( ? , ? , ? , ? , ? , ? , ? , ? , ? ) ON DUPLICATE KEY UPDATE occurences = occurences + ?")
 	if err != nil {
 		slogger.Println("Failed to prepare statement")
 		return err
 	}
 
 	for ix := range cd {
-		_, err = prepStmt.Exec(cd[ix].ipbSrc, cd[ix].ipbDst, cd[ix].asSrc, cd[ix].asDst, cd[ix].portSrc, cd[ix].portDst, cd[ix].occurences, cd[ix].volume, cd[ix].time, cd[ix].occurences)
+		_, err = prepStmt.Exec(cfg.CleanTable, cd[ix].ipbSrc, cd[ix].ipbDst, cd[ix].asSrc, cd[ix].asDst, cd[ix].portSrc, cd[ix].portDst, cd[ix].occurences, cd[ix].volume, cd[ix].time, cd[ix].occurences)
 		if err != nil {
 			slogger.Println("Failed to execute statement")
 			return err
@@ -222,20 +223,20 @@ func privatizeCleaned(db *sql.DB, t time.Time, cfg *Config) (err error) {
 	if cfg.Epsilon <= 0 {
 		return
 	}
-	query, err := db.Prepare("SELECT ipb_src,ipb_dst,as_src,as_dst,port_src,port_dst,volume,time_added,occurences FROM " + cfg.CleanTable + " WHERE time_added < ?")
+	query, err := db.Prepare("SELECT ipb_src,ipb_dst,as_src,as_dst,port_src,port_dst,volume,time_added,occurences FROM ? WHERE time_added < ?")
 	if err != nil {
 		slogger.Println("Failed to prepare query")
 		return
 	}
 
-	rows, err := query.Query(t)
+	rows, err := query.Query(cfg.CleanTable, t)
 	if err != nil {
 		slogger.Println("Failed to query for unprivitized rows")
 		return
 	}
 	defer rows.Close()
 
-	update, err := db.Prepare("UPDATE " + cfg.CleanTable + " SET occurences = ? , time_privatized = ? WHERE ipb_src = ? AND ipb_dst = ? AND as_src = ? AND as_dst = ? AND port_src = ? AND port_dst = ? AND volume = ? AND time_added = ? ")
+	update, err := db.Prepare("UPDATE ? SET occurences = ? , time_privatized = ? WHERE ipb_src = ? AND ipb_dst = ? AND as_src = ? AND as_dst = ? AND port_src = ? AND port_dst = ? AND volume = ? AND time_added = ? ")
 	if err != nil {
 		slogger.Println("Failed to prepare update")
 		return
@@ -263,7 +264,7 @@ func privatizeCleaned(db *sql.DB, t time.Time, cfg *Config) (err error) {
 		cd.occurences = diffpriv(cd.occurences, 1, cfg.Epsilon)
 
 		// Update the entry
-		_, err := update.Exec(cd.occurences, time.Now(), cd.ipbSrc, cd.ipbDst, cd.asSrc, cd.asDst, cd.portSrc, cd.portDst, cd.volume, cd.time)
+		_, err := update.Exec(cfg.CleanTable, cd.occurences, time.Now(), cd.ipbSrc, cd.ipbDst, cd.asSrc, cd.asDst, cd.portSrc, cd.portDst, cd.volume, cd.time)
 		if err != nil {
 			slogger.Println("Failed to update an entry:", err)
 		}
@@ -272,12 +273,12 @@ func privatizeCleaned(db *sql.DB, t time.Time, cfg *Config) (err error) {
 }
 
 func availableRows(tx *sql.Tx, cfg *Config, timeLimit time.Time) (numRows int, err error) {
-	stmt, err := tx.Prepare("SELECT COUNT(*) FROM " + cfg.RawTable + " WHERE stamp_inserted < ? ")
+	stmt, err := tx.Prepare("SELECT COUNT(*) FROM ? WHERE stamp_inserted < ? ")
 	if err != nil {
 		slogger.Println("Could not prepare statement")
 		return
 	}
-	row := stmt.QueryRow(timeLimit)
+	row := stmt.QueryRow(cfg.RawTable, timeLimit)
 
 	err = row.Scan(&numRows)
 	if err != nil {
author	Daniel Langesten <daniel.langest@gmail.com>	2015-03-24 14:02:13 +0100
committer	Daniel Langesten <daniel.langest@gmail.com>	2015-03-24 14:02:13 +0100
commit	88301b03ea26ce8cb18c3ab5c32618f0e1489230 (patch)
tree	cd2802db99bf9d04b3c46153734237f1ae747a65
parent	e031626c756d6dce1eca4ac9854332d507401a53 (diff)