From 33aa704701c60c04414c754a7e2080f7d762b92c Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Tue, 9 Jan 2024 21:58:44 +0100 Subject: [PATCH] DatabaseContext::Private::attachExtraDatabases(): fix false-positive CodeQL cpp/sql-injection --- src/iso19111/factory.cpp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/iso19111/factory.cpp b/src/iso19111/factory.cpp index 6baa8daeb1..95c21b788f 100644 --- a/src/iso19111/factory.cpp +++ b/src/iso19111/factory.cpp @@ -1282,18 +1282,15 @@ void DatabaseContext::Private::attachExtraDatabases( sqlite_handle, true, nLayoutVersionMajor, nLayoutVersionMinor); l_handle = sqlite_handle_; - run("ATTACH DATABASE '" + replaceAll(databasePath_, "'", "''") + - "' AS db_0"); + run("ATTACH DATABASE ? AS db_0", {databasePath_}); detach_ = true; int count = 1; for (const auto &otherDbPath : auxiliaryDatabasePaths) { const auto attachedDbName("db_" + toString(static_cast(count))); - std::string sql = "ATTACH DATABASE '"; - sql += replaceAll(otherDbPath, "'", "''"); - sql += "' AS "; + std::string sql = "ATTACH DATABASE ? AS "; sql += attachedDbName; count++; - run(sql); + run(sql, {otherDbPath}); l_handle->checkDatabaseLayout(databasePath_, otherDbPath, attachedDbName + '.');