made sql injection impossible
git-svn-id: http://yolanda.mister-muffin.de/svn@48 7eef14d0-6ed0-489d-bf55-20463b2d70db
This commit is contained in:
parent
fc5300dc09
commit
6933085e94
5 changed files with 28 additions and 31 deletions
|
@ -37,10 +37,10 @@ sub get_username_from_sid
|
||||||
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
||||||
|
|
||||||
#prepare query
|
#prepare query
|
||||||
my $sth = $dbh->prepare(qq{select username from users where sid = '$sid'}) or die $dbh->errstr;
|
my $sth = $dbh->prepare(qq{select username from users where sid = ?}) or die $dbh->errstr;
|
||||||
|
|
||||||
#execute it
|
#execute it
|
||||||
$sth->execute() or die $dbh->errstr;
|
$sth->execute($sid) or die $dbh->errstr;
|
||||||
|
|
||||||
#save the resulting username
|
#save the resulting username
|
||||||
my ($username) = $sth->fetchrow_array();
|
my ($username) = $sth->fetchrow_array();
|
||||||
|
@ -65,10 +65,10 @@ sub get_userid_from_sid
|
||||||
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
||||||
|
|
||||||
#prepare query
|
#prepare query
|
||||||
my $sth = $dbh->prepare(qq{select id from users where sid = '$sid'}) or die $dbh->errstr;
|
my $sth = $dbh->prepare(qq{select id from users where sid = ?}) or die $dbh->errstr;
|
||||||
|
|
||||||
#execute it
|
#execute it
|
||||||
$sth->execute() or die $dbh->errstr;
|
$sth->execute($sid) or die $dbh->errstr;
|
||||||
|
|
||||||
#save the resulting username
|
#save the resulting username
|
||||||
my ($username) = $sth->fetchrow_array();
|
my ($username) = $sth->fetchrow_array();
|
||||||
|
|
|
@ -15,28 +15,21 @@ if($query->param('action'))
|
||||||
#if login is requested
|
#if login is requested
|
||||||
if($query->param('action') eq "login")
|
if($query->param('action') eq "login")
|
||||||
{
|
{
|
||||||
#save POST data in local variables
|
|
||||||
my $user = $query->param('user');
|
|
||||||
my $pass = $query->param('pass');
|
|
||||||
|
|
||||||
#prepare query
|
#prepare query
|
||||||
my $sth = $dbh->prepare(qq{select username from users
|
my $sth = $dbh->prepare(qq{select username from users
|
||||||
where password = password('$pass')
|
where password = password( ? )
|
||||||
and username = '$user'
|
and username = ?
|
||||||
limit 1 });
|
limit 1 });
|
||||||
|
|
||||||
#execute query
|
#execute query
|
||||||
$sth->execute();
|
$sth->execute($query->param('pass'), $query->param('user'));
|
||||||
|
|
||||||
#if something was returned username and password match
|
#if something was returned username and password match
|
||||||
if($sth->fetchrow_array())
|
if($sth->fetchrow_array())
|
||||||
{
|
{
|
||||||
#store session id in local variable
|
|
||||||
my $sid = $session->id;
|
|
||||||
|
|
||||||
#store session id in database
|
#store session id in database
|
||||||
$sth = $dbh->prepare(qq{update users set sid = '$sid' where username = '$user'});
|
$sth = $dbh->prepare(qq{update users set sid = ? where username = ? });
|
||||||
$sth->execute();
|
$sth->execute($session->id, $query->param('user'));
|
||||||
$sth->finish();
|
$sth->finish();
|
||||||
print $session->header();
|
print $session->header();
|
||||||
print "logged in";
|
print "logged in";
|
||||||
|
@ -53,8 +46,8 @@ if($query->param('action'))
|
||||||
{
|
{
|
||||||
#if logout is requested
|
#if logout is requested
|
||||||
#remove sid from database
|
#remove sid from database
|
||||||
$sth = $dbh->prepare(qq{update users set sid = '' where username = '$user'});
|
$sth = $dbh->prepare(qq{update users set sid = '' where username = ?});
|
||||||
$sth->execute();
|
$sth->execute(get_username_from_sid($session->id));
|
||||||
$sth->finish();
|
$sth->finish();
|
||||||
$session->delete();
|
$session->delete();
|
||||||
print $session->header();
|
print $session->header();
|
||||||
|
|
|
@ -13,12 +13,14 @@ if($query->param('user') and $query->param('pass'))
|
||||||
#connect to db
|
#connect to db
|
||||||
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
|
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
|
||||||
|
|
||||||
#save POST data in local variables
|
|
||||||
my $user = $query->param("user");
|
|
||||||
my $pass = $query->param("pass");
|
|
||||||
|
|
||||||
#do query
|
#do query
|
||||||
$dbh->do(qq{insert into users (username, password) values ('$user', password('$pass'))}) or die $dbh->errstr;
|
$sth = $dbh->prepare(qq{insert into users (username, password) values ( ?, password( ? ))}) or die $dbh->errstr;
|
||||||
|
|
||||||
|
#execute it
|
||||||
|
$sth->execute($query->param("user"), $query->param("pass")) or die $dbh->errstr;
|
||||||
|
|
||||||
|
#finish query
|
||||||
|
$sth->finish() or die $dbh->errstr;
|
||||||
|
|
||||||
#disconnect db
|
#disconnect db
|
||||||
$dbh->disconnect() or die $dbh->errstr;
|
$dbh->disconnect() or die $dbh->errstr;
|
||||||
|
|
|
@ -22,10 +22,10 @@ if($query->param('query'))
|
||||||
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
|
||||||
|
|
||||||
#prepare query
|
#prepare query
|
||||||
my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against('$search_query') }) or die $dbh->errstr;
|
my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against( ? ) }) or die $dbh->errstr;
|
||||||
|
|
||||||
#execute it
|
#execute it
|
||||||
$sth->execute() or die $dbh->errstr;
|
$sth->execute($search_query) or die $dbh->errstr;
|
||||||
|
|
||||||
#get every returned value
|
#get every returned value
|
||||||
while (my ($title, $caption, $timestamp) = $sth->fetchrow_array())
|
while (my ($title, $caption, $timestamp) = $sth->fetchrow_array())
|
||||||
|
|
|
@ -24,10 +24,6 @@ if($userid)
|
||||||
#connect to db
|
#connect to db
|
||||||
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
|
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
|
||||||
|
|
||||||
#save POST data in local variables
|
|
||||||
my $title = $query->param("title");
|
|
||||||
my $caption = $query->param("caption");
|
|
||||||
|
|
||||||
#video status:
|
#video status:
|
||||||
# 0 - new entry - nothing done yet
|
# 0 - new entry - nothing done yet
|
||||||
# 1 - successfully uploaded
|
# 1 - successfully uploaded
|
||||||
|
@ -35,10 +31,16 @@ if($userid)
|
||||||
# 3 - error: was not a valid video/format
|
# 3 - error: was not a valid video/format
|
||||||
# 4 - error: video is a duplicate
|
# 4 - error: video is a duplicate
|
||||||
#do query
|
#do query
|
||||||
$dbh->do(qq{insert into videos (title, caption, userid, status, timestamp) values ('$title', '$caption', '$userid', 0, now())}) or die $dbh->errstr;
|
my $sth = $dbh->prepare(qq{insert into videos (title, caption, userid, status, timestamp) values ( ?, ?, ?, 0, now())}) or die $dbh->errstr;
|
||||||
|
|
||||||
|
#execute it
|
||||||
|
$sth->execute($query->param("title"), $query->param("caption"), $userid) or die $dbh->errstr;
|
||||||
|
|
||||||
|
#finish query
|
||||||
|
$sth->finish() or die $dbh->errstr;
|
||||||
|
|
||||||
#prepare query
|
#prepare query
|
||||||
my $sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr;
|
$sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr;
|
||||||
|
|
||||||
#execute it
|
#execute it
|
||||||
$sth->execute() or die $dbh->errstr;
|
$sth->execute() or die $dbh->errstr;
|
||||||
|
|
Loading…
Reference in a new issue