diff --git a/checkin_notes b/checkin_notes
index 25ce1b2a37..e6fdbd41f0 100755
--- a/checkin_notes
+++ b/checkin_notes
@@ -13370,3 +13370,9 @@ David 25 Oct 2005
acct_setup.C
lib/
boinc_cmd.C
+
+David 25 Oct 2005
+ - avoid SQL injection attack
+
+ sched/
+ server_types.C
diff --git a/doc/client_unix.php b/doc/client_unix.php
index 13720238f9..dbb9348aad 100644
--- a/doc/client_unix.php
+++ b/doc/client_unix.php
@@ -93,11 +93,16 @@ The command-line interface program has the following interface:
boinc_cmd [--host hostname] [--passwd passwd] command
-The commands are as follows:
+The options and commands are as follows:
";
list_start();
list_item("--help, -h", "help (show commands)");
list_item("--version, -V", "show version");
+list_item("--host", "The host to connect to (default: localhost)");
+list_item("--password", "The password for RPC authentication
+ (default: boinc_cmd will look for a file 'gui_rpc_auth.cfg'
+ and use the password it contains)"
+);
list_item("--get_state", "show client state");
list_item("--get_results", "show results");
list_item("--get_file_transfers", "show file transfers");
diff --git a/sched/server_types.C b/sched/server_types.C
index a47ff2b51e..1b69c560d4 100644
--- a/sched/server_types.C
+++ b/sched/server_types.C
@@ -34,6 +34,20 @@ using namespace std;
#include "fcgi_stdio.h"
#endif
+// remove (by truncating) any quotes from the given string.
+// This is for things (e.g. authenticator) that will be used in
+// a SQL query, to prevent SQL injection attacks
+//
+void remove_quotes(char* p) {
+ int i, n=strlen(p);
+ for (i=0; i")) return ERR_XML_PARSE;
while (fgets(buf, 256, fin)) {
if (match_tag(buf, "")) return 0;
- else if (parse_str(buf, "", authenticator, sizeof(authenticator))) continue;
+ else if (parse_str(buf, "", authenticator, sizeof(authenticator))) {
+ remove_quotes(authenticator);
+ continue;
+ }
else if (parse_str(buf, "", cross_project_id, sizeof(cross_project_id))) continue;
else if (parse_int(buf, "", hostid)) continue;
else if (parse_int(buf, "", rpc_seqno)) continue;