made sql injection impossible

git-svn-id: http://yolanda.mister-muffin.de/svn@48 7eef14d0-6ed0-489d-bf55-20463b2d70db
This commit is contained in:
josch 2007-10-12 00:34:32 +00:00
parent fc5300dc09
commit 6933085e94
5 changed files with 28 additions and 31 deletions

View file

@ -37,10 +37,10 @@ sub get_username_from_sid
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr; my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
#prepare query #prepare query
my $sth = $dbh->prepare(qq{select username from users where sid = '$sid'}) or die $dbh->errstr; my $sth = $dbh->prepare(qq{select username from users where sid = ?}) or die $dbh->errstr;
#execute it #execute it
$sth->execute() or die $dbh->errstr; $sth->execute($sid) or die $dbh->errstr;
#save the resulting username #save the resulting username
my ($username) = $sth->fetchrow_array(); my ($username) = $sth->fetchrow_array();
@ -65,10 +65,10 @@ sub get_userid_from_sid
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr; my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
#prepare query #prepare query
my $sth = $dbh->prepare(qq{select id from users where sid = '$sid'}) or die $dbh->errstr; my $sth = $dbh->prepare(qq{select id from users where sid = ?}) or die $dbh->errstr;
#execute it #execute it
$sth->execute() or die $dbh->errstr; $sth->execute($sid) or die $dbh->errstr;
#save the resulting username #save the resulting username
my ($username) = $sth->fetchrow_array(); my ($username) = $sth->fetchrow_array();

View file

@ -15,28 +15,21 @@ if($query->param('action'))
#if login is requested #if login is requested
if($query->param('action') eq "login") if($query->param('action') eq "login")
{ {
#save POST data in local variables
my $user = $query->param('user');
my $pass = $query->param('pass');
#prepare query #prepare query
my $sth = $dbh->prepare(qq{select username from users my $sth = $dbh->prepare(qq{select username from users
where password = password('$pass') where password = password( ? )
and username = '$user' and username = ?
limit 1 }); limit 1 });
#execute query #execute query
$sth->execute(); $sth->execute($query->param('pass'), $query->param('user'));
#if something was returned username and password match #if something was returned username and password match
if($sth->fetchrow_array()) if($sth->fetchrow_array())
{ {
#store session id in local variable
my $sid = $session->id;
#store session id in database #store session id in database
$sth = $dbh->prepare(qq{update users set sid = '$sid' where username = '$user'}); $sth = $dbh->prepare(qq{update users set sid = ? where username = ? });
$sth->execute(); $sth->execute($session->id, $query->param('user'));
$sth->finish(); $sth->finish();
print $session->header(); print $session->header();
print "logged in"; print "logged in";
@ -53,8 +46,8 @@ if($query->param('action'))
{ {
#if logout is requested #if logout is requested
#remove sid from database #remove sid from database
$sth = $dbh->prepare(qq{update users set sid = '' where username = '$user'}); $sth = $dbh->prepare(qq{update users set sid = '' where username = ?});
$sth->execute(); $sth->execute(get_username_from_sid($session->id));
$sth->finish(); $sth->finish();
$session->delete(); $session->delete();
print $session->header(); print $session->header();

View file

@ -13,12 +13,14 @@ if($query->param('user') and $query->param('pass'))
#connect to db #connect to db
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr; my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
#save POST data in local variables
my $user = $query->param("user");
my $pass = $query->param("pass");
#do query #do query
$dbh->do(qq{insert into users (username, password) values ('$user', password('$pass'))}) or die $dbh->errstr; $sth = $dbh->prepare(qq{insert into users (username, password) values ( ?, password( ? ))}) or die $dbh->errstr;
#execute it
$sth->execute($query->param("user"), $query->param("pass")) or die $dbh->errstr;
#finish query
$sth->finish() or die $dbh->errstr;
#disconnect db #disconnect db
$dbh->disconnect() or die $dbh->errstr; $dbh->disconnect() or die $dbh->errstr;

View file

@ -22,10 +22,10 @@ if($query->param('query'))
my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr; my $dbh = DBI->connect("DBI:mysql:$database:$dbhost", $dbuser, $dbpass) or die $dbh->errstr;
#prepare query #prepare query
my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against('$search_query') }) or die $dbh->errstr; my $sth = $dbh->prepare(qq{select title, caption, timestamp from videos where match(title, caption) against( ? ) }) or die $dbh->errstr;
#execute it #execute it
$sth->execute() or die $dbh->errstr; $sth->execute($search_query) or die $dbh->errstr;
#get every returned value #get every returned value
while (my ($title, $caption, $timestamp) = $sth->fetchrow_array()) while (my ($title, $caption, $timestamp) = $sth->fetchrow_array())

View file

@ -24,10 +24,6 @@ if($userid)
#connect to db #connect to db
my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr; my $dbh = DBI->connect("DBI:mysql:$database:$host", $dbuser, $dbpass) or die $dbh->errstr;
#save POST data in local variables
my $title = $query->param("title");
my $caption = $query->param("caption");
#video status: #video status:
# 0 - new entry - nothing done yet # 0 - new entry - nothing done yet
# 1 - successfully uploaded # 1 - successfully uploaded
@ -35,10 +31,16 @@ if($userid)
# 3 - error: was not a valid video/format # 3 - error: was not a valid video/format
# 4 - error: video is a duplicate # 4 - error: video is a duplicate
#do query #do query
$dbh->do(qq{insert into videos (title, caption, userid, status, timestamp) values ('$title', '$caption', '$userid', 0, now())}) or die $dbh->errstr; my $sth = $dbh->prepare(qq{insert into videos (title, caption, userid, status, timestamp) values ( ?, ?, ?, 0, now())}) or die $dbh->errstr;
#execute it
$sth->execute($query->param("title"), $query->param("caption"), $userid) or die $dbh->errstr;
#finish query
$sth->finish() or die $dbh->errstr;
#prepare query #prepare query
my $sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr; $sth = $dbh->prepare(qq{select last_insert_id() }) or die $dbh->errstr;
#execute it #execute it
$sth->execute() or die $dbh->errstr; $sth->execute() or die $dbh->errstr;