Start #16 "Use parameterized statements in DBI to prevent SQL injection"
This commit is contained in:
parent
756c464c3e
commit
8a0b851188
|
@ -105,11 +105,15 @@ sub saveConf {
|
|||
# If configuration was modified, return an error
|
||||
if ( not $self->{force} ) {
|
||||
return CONFIG_WAS_CHANGED if ( $conf->{cfgNum} != $last );
|
||||
return DATABASE_LOCKED if ( $self->isLocked or not $self->lock );
|
||||
return DATABASE_LOCKED if ( $self->isLocked() or not $self->lock() );
|
||||
}
|
||||
$conf->{cfgNum} = $last + 1 unless ( $self->{cfgNumFixed} );
|
||||
foreach my $k (qw(reVHosts cipher)) {
|
||||
delete( $conf->{$k} );
|
||||
}
|
||||
$msg = "Configuration $conf->{cfgNum} stored.";
|
||||
return $self->store($conf);
|
||||
my $tmp = $self->store($conf);
|
||||
return ( $self->unlock() ? $tmp : UNKNOWN_ERROR );
|
||||
}
|
||||
|
||||
## @method hashRef getConf(hashRef args)
|
||||
|
|
|
@ -11,16 +11,13 @@ sub store {
|
|||
my ( $self, $fields ) = @_;
|
||||
my $cfgNum = $fields->{cfgNum};
|
||||
$fields = Storable::nfreeze($fields);
|
||||
$fields =~ s/'/''/gs;
|
||||
my $tmp =
|
||||
$self->_dbh->do( "insert into "
|
||||
. $self->{dbiTable}
|
||||
. " (cfgNum,data) values ($cfgNum,'$fields')" );
|
||||
my $tmp = $self->_dbh->prepare(
|
||||
"insert into $self->{dbiTable} (cfgNum,data) values (?,?)");
|
||||
unless ($tmp) {
|
||||
$self->logError;
|
||||
return UNKNOWN_ERROR;
|
||||
}
|
||||
unless ( $self->unlock ) {
|
||||
unless ( $tmp->execute( $cfgNum, $fields ) ) {
|
||||
$self->logError;
|
||||
return UNKNOWN_ERROR;
|
||||
}
|
||||
|
@ -38,7 +35,7 @@ sub load {
|
|||
return 0;
|
||||
}
|
||||
my $r;
|
||||
eval { $r = Storable::thaw( $row->[1] ); };
|
||||
eval { $r = Storable::thaw( $row->[0] ); };
|
||||
if ($@) {
|
||||
$Lemonldap::NG::Common::Conf::msg =
|
||||
"Bad stored data in conf database: $@";
|
||||
|
|
|
@ -12,17 +12,12 @@ sub store {
|
|||
$self->{noQuotes} = 1;
|
||||
$fields = $self->serialize($fields);
|
||||
my $errors = 0;
|
||||
eval { $self->_dbh->do('BEGIN'); };
|
||||
while ( my ( $k, $v ) = each %$fields ) {
|
||||
unless (
|
||||
$self->_dbh->do(
|
||||
"insert into "
|
||||
my $tmp =
|
||||
$self->_dbh->prepare( "insert into "
|
||||
. $self->{dbiTable}
|
||||
. " (cfgNum,field,value) values ("
|
||||
. join( ',', $fields->{cfgNum}, "'$k'", "'$v'" ) . ')'
|
||||
)
|
||||
)
|
||||
{
|
||||
. " (cfgNum,field,value) values (?,?,?)" );
|
||||
unless ( $tmp and $tmp->execute( $fields->{cfgNum}, $k, $v ) ) {
|
||||
$self->logError;
|
||||
$errors++;
|
||||
last;
|
||||
|
|
|
@ -64,9 +64,6 @@ sub serialize {
|
|||
# Parse configuration
|
||||
while ( my ( $k, $v ) = each(%$conf) ) {
|
||||
|
||||
# Ignore reVhost and cipher
|
||||
next if ( $k =~ /^(?:reVHosts|cipher)$/ );
|
||||
|
||||
# 1.Hash ref
|
||||
if ( ref($v) ) {
|
||||
$fields->{$k} = $self->normalize( Dumper($v) );
|
||||
|
|
|
@ -80,7 +80,7 @@ sub lock {
|
|||
sub isLocked {
|
||||
my $self = shift;
|
||||
my $sth;
|
||||
if ( $self->{dbiChain} =~ /mysql/i ) {
|
||||
if ( $self->{dbiChain} =~ /^dbi:mysql:/i ) {
|
||||
eval {
|
||||
$sth =
|
||||
$self->_dbh->prepare_cached( q{SELECT IS_FREE_LOCK(?)}, {}, 1 );
|
||||
|
@ -99,7 +99,7 @@ sub isLocked {
|
|||
sub unlock {
|
||||
my $self = shift;
|
||||
my $sth;
|
||||
if ( $self->{dbiChain} =~ /mysql/i ) {
|
||||
if ( $self->{dbiChain} =~ /^dbi:mysql:/i ) {
|
||||
eval {
|
||||
$sth =
|
||||
$self->_dbh->prepare_cached( q{SELECT RELEASE_LOCK(?)}, {}, 1 );
|
||||
|
|
Loading…
Reference in New Issue
Block a user