made sql injection impossible
git-svn-id: http://yolanda.mister-muffin.de/svn@48 7eef14d0-6ed0-489d-bf55-20463b2d70db
This commit is contained in:
parent
fc5300dc09
commit
6933085e94
5 changed files with 28 additions and 31 deletions
|
@ -37,10 +37,10 @@ sub get_username_from_sid
|
|||
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
||||
|
||||
#prepare query
|
||||
my $sth = $dbh->prepare(qq{select username from users where sid = '$sid'}) or die $dbh->errstr;
|
||||
my $sth = $dbh->prepare(qq{select username from users where sid = ?}) or die $dbh->errstr;
|
||||
|
||||
#execute it
|
||||
$sth->execute() or die $dbh->errstr;
|
||||
$sth->execute($sid) or die $dbh->errstr;
|
||||
|
||||
#save the resulting username
|
||||
my ($username) = $sth->fetchrow_array();
|
||||
|
@ -65,10 +65,10 @@ sub get_userid_from_sid
|
|||
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
||||
|
||||
#prepare query
|
||||
my $sth = $dbh->prepare(qq{select id from users where sid = '$sid'}) or die $dbh->errstr;
|
||||
my $sth = $dbh->prepare(qq{select id from users where sid = ?}) or die $dbh->errstr;
|
||||
|
||||
#execute it
|
||||
$sth->execute() or die $dbh->errstr;
|
||||
$sth->execute($sid) or die $dbh->errstr;
|
||||
|
||||
#save the resulting username
|
||||
my ($username) = $sth->fetchrow_array();
|
||||
|
|
|
@ -15,28 +15,21 @@ if($query->param('action'))
|
|||
#if login is requested
|
||||
if($query->param('action') eq "login")
|
||||
{
|
||||
#save POST data in local variables
|
||||
my $user = $query->param('user');
|
||||
my $pass = $query->param('pass');
|
||||
|
||||
#prepare query
|
||||
my $sth = $dbh->prepare(qq{select username from users
|
||||
where password = password('$pass')
|
||||
and username = '$user'
|
||||
where password = password( ? )
|
||||
and username = ?
|
||||
limit 1 });
|
||||
|
||||
#execute query
|
||||
$sth->execute();
|
||||
$sth->execute($query->param('pass'), $query->param('user'));
|
||||
|
||||
#if something was returned username and password match
|
||||
if($sth->fetchrow_array())
|
||||
{
|
||||
#store session id in local variable
|
||||
my $sid = $session->id;
|
||||
|
||||
#store session id in database
|
||||
$sth = $dbh->prepare(qq{update users set sid = '$sid' where username = '$user'});
|
||||
$sth->execute();
|
||||
$sth = $dbh->prepare(qq{update users set sid = ? where username = ? });
|
||||
$sth->execute($session->id, $query->param('user'));
|
||||
$sth->finish();
|
||||
print $session->header();
|
||||
print "logged in";
|
||||
|
@ -53,8 +46,8 @@ if($query->param('action'))
|
|||
{
|
||||
#if logout is requested
|
||||
#remove sid from database
|
||||
$sth = $dbh->prepare(qq{update users set sid = '' where username = '$user'});
|
||||
$sth->execute();
|
||||
$sth = $dbh->prepare(qq{update users set sid = '' where username = ?});
|
||||
$sth->execute(get_username_from_sid($session->id));
|
||||
$sth->finish();
|
||||
$session->delete();
|
||||
print $session->header();
|
||||
|
|
|
@ -13,12 +13,14 @@ if($query->param('user') and $query->param('pass'))
|
|||
#connect to db
|
||||
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
|
||||
|
||||
#save POST data in local variables
|
||||
my $user = $query->param("user");
|
||||
my $pass = $query->param("pass");
|
||||
|
||||
#do query
|
||||
$dbh->do(qq{insert into users (username, password) values ('$user', password('$pass'))}) or die $dbh->errstr;
|
||||
$sth = $dbh->prepare(qq{insert into users (username, password) values ( ?, password( ? ))}) or die $dbh->errstr;
|
||||
|
||||
#execute it
|
||||
$sth->execute($query->param("user"), $query->param("pass")) or die $dbh->errstr;
|
||||
|
||||
#finish query
|
||||
$sth->finish() or die $dbh->errstr;
|
||||
|
||||
#disconnect db
|
||||
$dbh->disconnect() or die $dbh->errstr;
|
||||
|
|
|
@ -22,10 +22,10 @@ if($query->param('query'))
|
|||
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
||||
|
||||
#prepare query
|
||||
my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against('$search_query') }) or die $dbh->errstr;
|
||||
my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against( ? ) }) or die $dbh->errstr;
|
||||
|
||||
#execute it
|
||||
$sth->execute() or die $dbh->errstr;
|
||||
$sth->execute($search_query) or die $dbh->errstr;
|
||||
|
||||
#get every returned value
|
||||
while (my ($title, $caption, $timestamp) = $sth->fetchrow_array())
|
||||
|
|
|
@ -24,10 +24,6 @@ if($userid)
|
|||
#connect to db
|
||||
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
|
||||
|
||||
#save POST data in local variables
|
||||
my $title = $query->param("title");
|
||||
my $caption = $query->param("caption");
|
||||
|
||||
#video status:
|
||||
# 0 - new entry - nothing done yet
|
||||
# 1 - successfully uploaded
|
||||
|
@ -35,10 +31,16 @@ if($userid)
|
|||
# 3 - error: was not a valid video/format
|
||||
# 4 - error: video is a duplicate
|
||||
#do query
|
||||
$dbh->do(qq{insert into videos (title, caption, userid, status, timestamp) values ('$title', '$caption', '$userid', 0, now())}) or die $dbh->errstr;
|
||||
my $sth = $dbh->prepare(qq{insert into videos (title, caption, userid, status, timestamp) values ( ?, ?, ?, 0, now())}) or die $dbh->errstr;
|
||||
|
||||
#execute it
|
||||
$sth->execute($query->param("title"), $query->param("caption"), $userid) or die $dbh->errstr;
|
||||
|
||||
#finish query
|
||||
$sth->finish() or die $dbh->errstr;
|
||||
|
||||
#prepare query
|
||||
my $sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr;
|
||||
$sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr;
|
||||
|
||||
#execute it
|
||||
$sth->execute() or die $dbh->errstr;
|
||||
|
|
Loading…
Reference in a new issue