sofar/insidethebox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

db: fix potential SQL injection

Browse Source
This commit is contained in:
Ekdohibs 2017-01-26 22:29:29 +01:00
parent 19dd37b7ab
commit 9eaabbf5ae
1 changed files with 36 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
mods/db/init.lua
View File

@ -68,19 +68,27 @@ assert(itb_db:exec[[
db = {} db = {}
function db.player_get_meta(name) function db.player_get_meta(name)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection local stmt = itb_db:prepare[[
for row in itb_db:nrows("SELECT meta FROM player WHERE name = '" .. name .. "';") do SELECT meta FROM player WHERE name = :name
]]
stmt:bind_names{name = name}
for row in stmt:nrows() do
stmt:finalize()
return minetest.parse_json(row.meta) return minetest.parse_json(row.meta)
end end
stmt:finalize()
print("no such player in db", name) print("no such player in db", name)
return nil return nil
end end
function db.player_put_meta(name, meta) function db.player_put_meta(name, meta)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection local stmt = itb_db:prepare[[
local r = itb_db:exec("REPLACE INTO player_meta (name, meta) VALUES ('" .. name .. "', '" .. REPLACE INTO player_meta (name, meta) VALUES (:name, :meta)
minetest.write_json(meta) .. "');") ]]
stmt:bind_names{name = name, meta = minetest.write_json(meta)}
local r = stmt:step()
stmt:finalize()
if not r then if not r then
print("error writing") print("error writing")
return false return false