From 6933085e94560863f136aa4244d94ba32d0df6e8 Mon Sep 17 00:00:00 2001 From: josch Date: Fri, 12 Oct 2007 00:34:32 +0000 Subject: [PATCH] made sql injection impossible git-svn-id: http://yolanda.mister-muffin.de/svn@48 7eef14d0-6ed0-489d-bf55-20463b2d70db --- trunk/functions.pl | 8 ++++---- trunk/login.pl | 21 +++++++-------------- trunk/register.pl | 12 +++++++----- trunk/search.pl | 4 ++-- trunk/uploader.pl | 14 ++++++++------ 5 files changed, 28 insertions(+), 31 deletions(-) diff --git a/trunk/functions.pl b/trunk/functions.pl index 3937031..496b731 100644 --- a/trunk/functions.pl +++ b/trunk/functions.pl @@ -37,10 +37,10 @@ sub get_username_from_sid my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr; #prepare query - my $sth = $dbh->prepare(qq{select username from users where sid = '$sid'}) or die $dbh->errstr; + my $sth = $dbh->prepare(qq{select username from users where sid = ?}) or die $dbh->errstr; #execute it - $sth->execute() or die $dbh->errstr; + $sth->execute($sid) or die $dbh->errstr; #save the resulting username my ($username) = $sth->fetchrow_array(); @@ -65,10 +65,10 @@ sub get_userid_from_sid my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr; #prepare query - my $sth = $dbh->prepare(qq{select id from users where sid = '$sid'}) or die $dbh->errstr; + my $sth = $dbh->prepare(qq{select id from users where sid = ?}) or die $dbh->errstr; #execute it - $sth->execute() or die $dbh->errstr; + $sth->execute($sid) or die $dbh->errstr; #save the resulting username my ($username) = $sth->fetchrow_array(); diff --git a/trunk/login.pl b/trunk/login.pl index 4c09e20..77d4b07 100644 --- a/trunk/login.pl +++ b/trunk/login.pl @@ -15,28 +15,21 @@ if($query->param('action')) #if login is requested if($query->param('action') eq "login") { - #save POST data in local variables - my $user = $query->param('user'); - my $pass = $query->param('pass'); - #prepare query my $sth = $dbh->prepare(qq{select username from users - where password = password('$pass') - and username = '$user' + where password = password( ? ) + and username = ? limit 1 }); #execute query - $sth->execute(); + $sth->execute($query->param('pass'), $query->param('user')); #if something was returned username and password match if($sth->fetchrow_array()) { - #store session id in local variable - my $sid = $session->id; - #store session id in database - $sth = $dbh->prepare(qq{update users set sid = '$sid' where username = '$user'}); - $sth->execute(); + $sth = $dbh->prepare(qq{update users set sid = ? where username = ? }); + $sth->execute($session->id, $query->param('user')); $sth->finish(); print $session->header(); print "logged in"; @@ -53,8 +46,8 @@ if($query->param('action')) { #if logout is requested #remove sid from database - $sth = $dbh->prepare(qq{update users set sid = '' where username = '$user'}); - $sth->execute(); + $sth = $dbh->prepare(qq{update users set sid = '' where username = ?}); + $sth->execute(get_username_from_sid($session->id)); $sth->finish(); $session->delete(); print $session->header(); diff --git a/trunk/register.pl b/trunk/register.pl index 93ea57b..66d0f7a 100644 --- a/trunk/register.pl +++ b/trunk/register.pl @@ -13,12 +13,14 @@ if($query->param('user') and $query->param('pass')) #connect to db my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr; - #save POST data in local variables - my $user = $query->param("user"); - my $pass = $query->param("pass"); - #do query - $dbh->do(qq{insert into users (username, password) values ('$user', password('$pass'))}) or die $dbh->errstr; + $sth = $dbh->prepare(qq{insert into users (username, password) values ( ?, password( ? ))}) or die $dbh->errstr; + + #execute it + $sth->execute($query->param("user"), $query->param("pass")) or die $dbh->errstr; + + #finish query + $sth->finish() or die $dbh->errstr; #disconnect db $dbh->disconnect() or die $dbh->errstr; diff --git a/trunk/search.pl b/trunk/search.pl index 9095f38..eb2439a 100644 --- a/trunk/search.pl +++ b/trunk/search.pl @@ -22,10 +22,10 @@ if($query->param('query')) my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr; #prepare query - my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against('$search_query') }) or die $dbh->errstr; + my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against( ? ) }) or die $dbh->errstr; #execute it - $sth->execute() or die $dbh->errstr; + $sth->execute($search_query) or die $dbh->errstr; #get every returned value while (my ($title, $caption, $timestamp) = $sth->fetchrow_array()) diff --git a/trunk/uploader.pl b/trunk/uploader.pl index 967c1c9..c5a4319 100644 --- a/trunk/uploader.pl +++ b/trunk/uploader.pl @@ -24,10 +24,6 @@ if($userid) #connect to db my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr; - #save POST data in local variables - my $title = $query->param("title"); - my $caption = $query->param("caption"); - #video status: # 0 - new entry - nothing done yet # 1 - successfully uploaded @@ -35,10 +31,16 @@ if($userid) # 3 - error: was not a valid video/format # 4 - error: video is a duplicate #do query - $dbh->do(qq{insert into videos (title, caption, userid, status, timestamp) values ('$title', '$caption', '$userid', 0, now())}) or die $dbh->errstr; + my $sth = $dbh->prepare(qq{insert into videos (title, caption, userid, status, timestamp) values ( ?, ?, ?, 0, now())}) or die $dbh->errstr; + + #execute it + $sth->execute($query->param("title"), $query->param("caption"), $userid) or die $dbh->errstr; + #finish query + $sth->finish() or die $dbh->errstr; + #prepare query - my $sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr; + $sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr; #execute it $sth->execute() or die $dbh->errstr;