version 0.3.33

[fms.git] / src / http / pages / execquerypage.cpp

diff --git a/src/http/pages/execquerypage.cpp b/src/http/pages/execquerypage.cpp
index f86579a..97b402b 100644 (file)
--- a/src/http/pages/execquerypage.cpp
+++ b/src/http/pages/execquerypage.cpp
@@ -8,12 +8,34 @@
 const std::string ExecQueryPage::GeneratePage(const std::string &method, const std::map<std::string,std::string> &queryvars)\r
 {\r
        std::string content="";\r
+       std::string query="";\r
 \r
-       if(queryvars.find("formaction")!=queryvars.end() && (*queryvars.find("formaction")).second=="execute" && queryvars.find("query")!=queryvars.end() && (*queryvars.find("query")).second!="")\r
+       if(queryvars.find("formaction")!=queryvars.end() && (*queryvars.find("formaction")).second=="execute" && queryvars.find("query")!=queryvars.end() && (*queryvars.find("query")).second!="" && ValidateFormPassword(queryvars))\r
        {\r
-               SQLite3DB::Recordset rs=m_db->Query((*queryvars.find("query")).second);\r
+               query=(*queryvars.find("query")).second;\r
+               SQLite3DB::Recordset rs=m_db->Query(query);\r
 \r
                content+="<table>";\r
+               if(rs.Count()>0)\r
+               {\r
+                       content+="<tr>";\r
+                       for(int i=0; i<rs.Cols(); i++)\r
+                       {\r
+                               content+="<th>";\r
+                               if(rs.GetColumnName(i))\r
+                               {\r
+                                       content+=rs.GetColumnName(i);\r
+                               }\r
+                               content+="</th>";\r
+                       }\r
+                       content+="<tr>";\r
+               }\r
+               else if(m_db->GetLastResult()!=SQLITE_OK)\r
+               {\r
+                       std::string error="";\r
+                       m_db->GetLastError(error);\r
+                       content+="<tr><td>"+error+"</td></tr>";\r
+               }\r
                while(!rs.AtEnd())\r
                {\r
                        content+="<tr>";\r
@@ -22,7 +44,7 @@ const std::string ExecQueryPage::GeneratePage(const std::string &method, const s
                                content+="<td>";\r
                                if(rs.GetField(i))\r
                                {\r
-                                       content+=rs.GetField(i);\r
+                                       content+=SanitizeOutput(std::string(rs.GetField(i)));\r
                                }\r
                                content+="</td>";\r
                        }\r
@@ -34,12 +56,13 @@ const std::string ExecQueryPage::GeneratePage(const std::string &method, const s
 \r
        content+="<h2>Execute Query</h2>";\r
        content+="<form name=\"frmquery\" method=\"POST\">";\r
+       content+=CreateFormPassword();\r
        content+="<input type=\"hidden\" name=\"formaction\" value=\"execute\">";\r
-       content+="<textarea name=\"query\" rows=\"10\" cols=\"80\"></textarea>";\r
+       content+="<textarea name=\"query\" rows=\"10\" cols=\"80\">"+StringFunctions::Replace(query,"<","&lt;")+"</textarea>";\r
        content+="<input type=\"submit\" value=\"Execute Query\">";\r
        content+="</form>";\r
 \r
-       return "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n"+StringFunctions::Replace(m_template,"[CONTENT]",content);\r
+       return StringFunctions::Replace(m_template,"[CONTENT]",content);\r
 }\r
 \r
 const bool ExecQueryPage::WillHandleURI(const std::string &uri)\r