Diff
Not logged in
HomeFilesLeavesTimelineBranchesTagsTicketsWikiLogin

Differences From:

File src/xfer.c part of check-in [7a2c37063a] - merge trunk into creole branch by bob on 2009-09-22 07:49:39. Also file src/xfer.c part of check-in [39a144eb5c] - Make sure that bringing up the "/xfer" URL in a web-browser does something sensible (it redirects to the homepage.) Ticket 1d7bbe30aad51. by drh on 2009-09-16 14:50:24. [view]

To:

File src/xfer.c part of check-in [7a39dde24b] - Clean up and merge updates from trunk by robert on 2009-09-26 08:17:33. Also file src/xfer.c part of check-in [43481115ed] - Add a "logo" image to the local server state. Return this image on all requests to the "/logo" URL. All the administrator to setup that image. Include the image in the default header. by drh on 2009-09-21 19:10:35. [view] 
@@ -384,15 +384,17 @@
 */
 void check_login(Blob *pLogin, Blob *pNonce, Blob *pSig){
   Stmt q;
   int rc = -1;
+  char *zLogin = blob_terminate(pLogin);
+  defossilize(zLogin);
 
   db_prepare(&q,
      "SELECT pw, cap, uid FROM user"
-     " WHERE login=%B"
+     " WHERE login=%Q"
      "   AND login NOT IN ('anonymous','nobody','developer','reader')"
      "   AND length(pw)>0",
-     pLogin
+     zLogin
   );
   if( db_step(&q)==SQLITE_ROW ){
     Blob pw, combined, hash;
     blob_zero(&pw);
@@ -522,13 +524,16 @@
 ** Send a single config card for configuration item zName
 */
 static void send_config_card(Xfer *pXfer, const char *zName){
   if( zName[0]!='@' ){
-    char *zValue = db_get(zName, 0);
-    if( zValue ){
-      blob_appendf(pXfer->pOut, "config %s %d\n%s\n",
-                   zName, strlen(zValue), zValue);
-      free(zValue);
+    Blob val;
+    blob_zero(&val);
+    db_blob(&val, "SELECT value FROM config WHERE name=%Q", zName);
+    if( blob_size(&val)>0 ){
+      blob_appendf(pXfer->pOut, "config %s %d\n", zName, blob_size(&val));
+      blob_append(pXfer->pOut, blob_buffer(&val), blob_size(&val));
+      blob_reset(&val);
+      blob_append(pXfer->pOut, "\n", 1);
     }
   }else{
     Blob content;
     blob_zero(&content);
@@ -767,12 +772,23 @@
         nErr++;
         break;
       }
       if( zName[0]!='@' ){
-        db_multi_exec(
-            "REPLACE INTO config(name,value) VALUES(%Q,%Q)",
-            zName, blob_str(&content)
-        );
+        if( strcmp(zName, "logo-image")==0 ){
+          Stmt ins;
+          db_prepare(&ins,
+            "REPLACE INTO config(name, value) VALUES(:name, :value)"
+          );
+          db_bind_text(&ins, ":name", zName);
+          db_bind_blob(&ins, ":value", &content);
+          db_step(&ins);
+          db_finalize(&ins);
+        }else{
+          db_multi_exec(
+              "REPLACE INTO config(name,value) VALUES(%Q,%Q)",
+              zName, blob_str(&content)
+          );
+        }
       }else{
         /* Notice that we are evaluating arbitrary SQL received from the
         ** client.  But this can only happen if the client has authenticated
         ** as an administrator, so presumably we trust the client at this
@@ -1129,12 +1145,23 @@
         blob_extract(xfer.pIn, size, &content);
         g.okAdmin = g.okRdAddr = 1;
         if( configure_is_exportable(zName) & origConfigRcvMask ){
           if( zName[0]!='@' ){
-            db_multi_exec(
-                "REPLACE INTO config(name,value) VALUES(%Q,%Q)",
-                zName, blob_str(&content)
-            );
+            if( strcmp(zName, "logo-image")==0 ){
+              Stmt ins;
+              db_prepare(&ins,
+                "REPLACE INTO config(name, value) VALUES(:name, :value)"
+              );
+              db_bind_text(&ins, ":name", zName);
+              db_bind_blob(&ins, ":value", &content);
+              db_step(&ins);
+              db_finalize(&ins);
+            }else{
+              db_multi_exec(
+                  "REPLACE INTO config(name,value) VALUES(%Q,%Q)",
+                  zName, blob_str(&content)
+              );
+            }
           }else{
             /* Notice that we are evaluating arbitrary SQL received from the
             ** server.  But this can only happen if we have specifically
             ** requested configuration information from the server, so

Fossil version [c0211010a1] 2009-12-13 01:31:36