Merge pull request #5270 from sysown/v3.0_restapi_improvement

Use parameterized prepared statements in REST API for safer SQL execution

Author: renecannao

include/sqlite3db.h

@@ -206,6 +206,8 @@ class SQLite3DB {
 	bool execute_statement(const char *, char **, int *, int *, SQLite3_result **);
 	SQLite3_result* execute_statement(const char *, char **_error=NULL, int *_cols=NULL, int *_affected_rows=NULL);
 	bool execute_statement_raw(const char *, char **, int *, int *, sqlite3_stmt **);
+	bool execute_prepared(sqlite3_stmt* statement, char** error, int* cols, int* affected_rows, SQLite3_result** resultset);
+	SQLite3_result* execute_prepared(sqlite3_stmt* statement, char** _error, int* cols, int* affected_rows);
 	int return_one_int(const char *);
 	int check_table_structure(char *table_name, char *table_def);
 	bool build_table(char *table_name, char *table_def, bool dropit);

lib/ProxySQL_RESTAPI_Server.cpp

@@ -31,17 +31,22 @@ class sync_resource : public http_resource {
 	}
 
 	const std::shared_ptr<http_response> find_script(const http_request& req, std::string& script, int &interval_ms) {
-		char *error=NULL;
 		const string req_uri { req.get_path_piece(1) };
 		const string req_path { req.get_path() };
-		const string select_query {
-			"SELECT * FROM runtime_restapi_routes WHERE uri='" + req_uri + "' and"
-				" method='" + req.get_method() + "' and active=1"
-		};
-
-		std::unique_ptr<SQLite3_result> resultset {
-			std::unique_ptr<SQLite3_result>(GloAdmin->admindb->execute_statement(select_query.c_str(), &error))
-		};
+		const string select_query { "SELECT * FROM runtime_restapi_routes WHERE uri=?1 AND method=?2 AND active=1" };
+
+		std::unique_ptr<SQLite3_result> resultset = nullptr;
+		char* error = NULL;
+		int cols = 0;
+		int affected_rows = 0;
+
+		auto [rc, statement1] = GloAdmin->admindb->prepare_v2(select_query.c_str());
+		ASSERT_SQLITE_OK(rc, GloAdmin->admindb);
+		rc = (*proxy_sqlite3_bind_text)(statement1.get(), 1, req_uri.c_str(), -1, SQLITE_TRANSIENT); ASSERT_SQLITE_OK(rc, GloAdmin->admindb);
+		rc = (*proxy_sqlite3_bind_text)(statement1.get(), 2, req.get_method().c_str(), -1, SQLITE_TRANSIENT); ASSERT_SQLITE_OK(rc, GloAdmin->admindb);
+		resultset = std::unique_ptr<SQLite3_result>(GloAdmin->admindb->execute_prepared(statement1.get(), &error, &cols, &affected_rows));
+		rc = (*proxy_sqlite3_clear_bindings)(statement1.get()); ASSERT_SQLITE_OK(rc, GloAdmin->admindb);
+		rc = (*proxy_sqlite3_reset)(statement1.get()); ASSERT_SQLITE_OK(rc, GloAdmin->admindb);
 
 		if (!resultset) {
 			proxy_error(

lib/sqlite3db.cpp

@@ -425,6 +425,81 @@ bool SQLite3DB::execute_statement_raw(const char *str, char **error, int *cols,
 	return ret;
 }
 
+/**
+ * @brief Executes a prepared SQL statement and returns the result set.
+ *
+ * @param statement The prepared SQL statement to execute.
+ * @param _error Pointer to a variable to store the error message.
+ * @param _cols Pointer to a variable to store the number of columns.
+ * @param _affected_rows Pointer to a variable to store the number of affected rows.
+ * @return A pointer to the SQLite3_result object representing the result set.
+ */
+SQLite3_result* SQLite3DB::execute_prepared(sqlite3_stmt* statement, char** error, int* cols, int* affected_rows) {
+	SQLite3_result* resultset;
+
+	char* myerror;
+	char** _error = (error == NULL ? &myerror : error);
+
+	int mycols;
+	int* _cols = (cols == NULL ? &mycols : cols);
+
+	int my_affected_rows;
+	int* _affected_rows = (affected_rows == NULL ? &my_affected_rows : affected_rows);
+
+	if (execute_prepared(statement, _error, _cols, _affected_rows, &resultset))
+		return resultset;
+
+	return NULL;
+}
+
+/**
+ * @brief Executes a prepared SQL statement and returns the result set.
+ *
+ * @param statement The prepared SQLite statement to execute.
+ * @param error Pointer to a variable to store the error message.
+ * @param cols Pointer to a variable to store the number of columns.
+ * @param affected_rows Pointer to a variable to store the number of affected rows.
+ * @param resultset Pointer to a pointer to a SQLite3_result object representing the result set.
+ * @return True if the execution was successful, false otherwise.
+ */
+bool SQLite3DB::execute_prepared(sqlite3_stmt* statement, char** error, int* cols, int* affected_rows, SQLite3_result** resultset) {
+	int rc;
+	*error = NULL;
+	bool ret = false;
+	*cols = (*proxy_sqlite3_column_count)(statement);
+	if (*cols == 0) { // not a SELECT
+		*resultset = NULL;
+		// Get total changes before executing the statement
+		long long total_changes_before = (*proxy_sqlite3_total_changes64)(db);
+		do {
+			rc = (*proxy_sqlite3_step)(statement);
+			if (rc == SQLITE_LOCKED || rc == SQLITE_BUSY) { // the execution of the prepared statement failed because locked
+				if ((*proxy_sqlite3_get_autocommit)(db) == 0) {
+					*error = strdup((*proxy_sqlite3_errmsg)(db));
+					goto __exit_execute_prepared;
+				}
+				usleep(USLEEP_SQLITE_LOCKED);
+			}
+		} while (rc == SQLITE_LOCKED || rc == SQLITE_BUSY);
+		if (rc == SQLITE_DONE) {
+			// Calculate affected rows as the difference in total changes
+			long long total_changes_after = (*proxy_sqlite3_total_changes64)(db);
+			*affected_rows = (int)(total_changes_after - total_changes_before);
+			ret = true;
+		} else {
+			*error = strdup((*proxy_sqlite3_errmsg)(db));
+			goto __exit_execute_prepared;
+		}
+	} else {
+		*affected_rows = 0;
+		*resultset = new SQLite3_result(statement);
+		ret = true;
+	}
+__exit_execute_prepared:
+	//(*proxy_sqlite3_reset)(statement);
+	return ret;
+}
+
 /**
  * @brief Executes a SQL statement and returns a single integer result.
  *