sofar/insidethebox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

db: fix potential SQL injection

Browse Source
This commit is contained in:
Ekdohibs 2017-01-26 22:29:29 +01:00
parent 19dd37b7ab
commit 9eaabbf5ae
1 changed files with 36 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
mods/db/init.lua
View File

@ -68,19 +68,27 @@ assert(itb_db:exec[[
db = {} db = {}
function db.player_get_meta(name) function db.player_get_meta(name)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection local stmt = itb_db:prepare[[
for row in itb_db:nrows("SELECT meta FROM player WHERE name = '" .. name .. "';") do SELECT meta FROM player WHERE name = :name
]]
stmt:bind_names{name = name}
for row in stmt:nrows() do
stmt:finalize()
return minetest.parse_json(row.meta) return minetest.parse_json(row.meta)
end end
stmt:finalize()
print("no such player in db", name) print("no such player in db", name)
return nil return nil
end end
function db.player_put_meta(name, meta) function db.player_put_meta(name, meta)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection local stmt = itb_db:prepare[[
local r = itb_db:exec("REPLACE INTO player_meta (name, meta) VALUES ('" .. name .. "', '" .. REPLACE INTO player_meta (name, meta) VALUES (:name, :meta)
minetest.write_json(meta) .. "');") ]]
stmt:bind_names{name = name, meta = minetest.write_json(meta)}
local r = stmt:step()
stmt:finalize()
if not r then if not r then
print("error writing") print("error writing")
return false return false
@ -90,34 +98,34 @@ function db.player_put_meta(name, meta)
end end
function db.box_get_data(box_id) function db.box_get_data(box_id)
local stmt = itb_db:prepare[[ local stmt = itb_db:prepare[[
SELECT data FROM box WHERE id = :box_id SELECT data FROM box WHERE id = :box_id
]] ]]
stmt:bind_names{box_id = box_id} stmt:bind_names{box_id = box_id}
for row in stmt:nrows() do for row in stmt:nrows() do
stmt:finalize() stmt:finalize()
return row.data return row.data
end end
stmt:finalize() stmt:finalize()
print("no such box in db", box_id) print("no such box in db", box_id)
return nil return nil
end end
function db.box_set_data(box_id, data) function db.box_set_data(box_id, data)
local stmt = itb_db:prepare[[ local stmt = itb_db:prepare[[
INSERT INTO box (id, data) VALUES(:box_id, :box_data) INSERT INTO box (id, data) VALUES(:box_id, :box_data)
]] ]]
stmt:bind_names{box_id = box_id, box_data = data} stmt:bind_names{box_id = box_id, box_data = data}
local r = stmt:step() local r = stmt:step()
stmt:finalize() stmt:finalize()
if not r then if not r then
print("error writing") print("error writing")
return false return false
else else
return true return true
end end
end end