SQL/ODBC: escape values in connection string

Values in connection strings must be escaped when they - contain a ; -> escape with " - start with ' -> escape with " - start with " -> escape with ' Fixes: QTBUG-122642 Pick-to: 6.7 Change-Id: I1df638194067af5df94a34009e1547886fdf928c Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
author: Christian Ehrlicher <ch.ehrlicher@gmx.de> 2024-02-26 15:18:39 +0100
committer: Christian Ehrlicher <ch.ehrlicher@gmx.de> 2024-03-02 00:12:55 +0100
commit: 000d462bf93b21a9bbb46fdba631c09ba3eb9276 (patch)
tree: 7d61e0f5b4bfc7e9efb9e954dff4a5c98fe4baf6 /src/plugins/sqldrivers/odbc
parent: 3b7013f9b7a111f0c40922e1de9c9f386a38e4f5 (diff)
1 files changed, 17 insertions, 5 deletions
diff --git a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
index a8f47e086b..f33aec7a83 100644
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
@@ -1918,6 +1918,18 @@ bool QODBCDriver::open(const QString & db,
                         int,
                         const QString& connOpts)
 {
+    const auto ensureEscaped = [](QString arg) -> QString {
+        QChar quoteChar;
+        if (arg.startsWith(u'"'))
+            quoteChar = u'\'';
+        else if (arg.startsWith(u'\''))
+            quoteChar = u'"';
+        else if (arg.contains(u';'))
+            quoteChar = u'"';
+        else
+            return arg;
+        return quoteChar + arg + quoteChar;
+    };
     Q_D(QODBCDriver);
     if (isOpen())
       close();
@@ -1953,17 +1965,17 @@ bool QODBCDriver::open(const QString & db,
     QString connQStr;
     // support the "DRIVER={SQL SERVER};SERVER=blah" syntax
     if (db.contains(".dsn"_L1, Qt::CaseInsensitive))
-        connQStr = "FILEDSN="_L1 + db;
+        connQStr = "FILEDSN="_L1 + ensureEscaped(db);
     else if (db.contains("DRIVER="_L1, Qt::CaseInsensitive)
             || db.contains("SERVER="_L1, Qt::CaseInsensitive))
-        connQStr = db;
+        connQStr = ensureEscaped(db);
     else
-        connQStr = "DSN="_L1 + db;
+        connQStr = "DSN="_L1 + ensureEscaped(db);
 
     if (!user.isEmpty())
-        connQStr += ";UID="_L1 + user;
+        connQStr += ";UID="_L1 + ensureEscaped(user);
     if (!password.isEmpty())
-        connQStr += ";PWD="_L1 + password;
+        connQStr += ";PWD="_L1 + ensureEscaped(password);
 
     SQLSMALLINT cb;
     QVarLengthArray<SQLTCHAR, 1024> connOut(1024);
author	Christian Ehrlicher <ch.ehrlicher@gmx.de>	2024-02-26 15:18:39 +0100
committer	Christian Ehrlicher <ch.ehrlicher@gmx.de>	2024-03-02 00:12:55 +0100
commit	000d462bf93b21a9bbb46fdba631c09ba3eb9276 (patch)
tree	7d61e0f5b4bfc7e9efb9e954dff4a5c98fe4baf6 /src/plugins/sqldrivers/odbc
parent	3b7013f9b7a111f0c40922e1de9c9f386a38e4f5 (diff)