X-Git-Url: https://git.pterodactylus.net/?p=fms.git;a=blobdiff_plain;f=src%2Fhttp%2Fpages%2Fexecquerypage.cpp;h=97b402b60a586699f475e78c43e557b3fc462c1b;hp=f86579a45f62a19c3ef4582f45ab4bd4a33e4572;hb=HEAD;hpb=52c0819bfc1d083c6e0738f75f0d7eeba521295a

diff --git a/src/http/pages/execquerypage.cpp b/src/http/pages/execquerypage.cpp
index f86579a..97b402b 100644
--- a/src/http/pages/execquerypage.cpp
+++ b/src/http/pages/execquerypage.cpp
@@ -8,12 +8,34 @@
 const std::string ExecQueryPage::GeneratePage(const std::string &method, const std::map<std::string,std::string> &queryvars)
 {
 	std::string content="";
+	std::string query="";
 
-	if(queryvars.find("formaction")!=queryvars.end() && (*queryvars.find("formaction")).second=="execute" && queryvars.find("query")!=queryvars.end() && (*queryvars.find("query")).second!="")
+	if(queryvars.find("formaction")!=queryvars.end() && (*queryvars.find("formaction")).second=="execute" && queryvars.find("query")!=queryvars.end() && (*queryvars.find("query")).second!="" && ValidateFormPassword(queryvars))
 	{
-		SQLite3DB::Recordset rs=m_db->Query((*queryvars.find("query")).second);
+		query=(*queryvars.find("query")).second;
+		SQLite3DB::Recordset rs=m_db->Query(query);
 
 		content+="<table>";
+		if(rs.Count()>0)
+		{
+			content+="<tr>";
+			for(int i=0; i<rs.Cols(); i++)
+			{
+				content+="<th>";
+				if(rs.GetColumnName(i))
+				{
+					content+=rs.GetColumnName(i);
+				}
+				content+="</th>";
+			}
+			content+="<tr>";
+		}
+		else if(m_db->GetLastResult()!=SQLITE_OK)
+		{
+			std::string error="";
+			m_db->GetLastError(error);
+			content+="<tr><td>"+error+"</td></tr>";
+		}
 		while(!rs.AtEnd())
 		{
 			content+="<tr>";
@@ -22,7 +44,7 @@ const std::string ExecQueryPage::GeneratePage(const std::string &method, const s
 				content+="<td>";
 				if(rs.GetField(i))
 				{
-					content+=rs.GetField(i);
+					content+=SanitizeOutput(std::string(rs.GetField(i)));
 				}
 				content+="</td>";
 			}
@@ -34,12 +56,13 @@ const std::string ExecQueryPage::GeneratePage(const std::string &method, const s
 
 	content+="<h2>Execute Query</h2>";
 	content+="<form name=\"frmquery\" method=\"POST\">";
+	content+=CreateFormPassword();
 	content+="<input type=\"hidden\" name=\"formaction\" value=\"execute\">";
-	content+="<textarea name=\"query\" rows=\"10\" cols=\"80\"></textarea>";
+	content+="<textarea name=\"query\" rows=\"10\" cols=\"80\">"+StringFunctions::Replace(query,"<","&lt;")+"</textarea>";
 	content+="<input type=\"submit\" value=\"Execute Query\">";
 	content+="</form>";
 
-	return "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r\n"+StringFunctions::Replace(m_template,"[CONTENT]",content);
+	return StringFunctions::Replace(m_template,"[CONTENT]",content);
 }
 
 const bool ExecQueryPage::WillHandleURI(const std::string &uri)