sofar/insidethebox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

db: fix potential SQL injection

Browse Source
This commit is contained in:
Ekdohibs 2017-01-26 22:29:29 +01:00
parent 19dd37b7ab
commit 9eaabbf5ae
1 changed files with 36 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
mods/db/init.lua
View File

@ -68,19 +68,27 @@ assert(itb_db:exec[[
db = {}
function db.player_get_meta(name)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection
for row in itb_db:nrows("SELECT meta FROM player WHERE name = '" .. name .. "';") do
local stmt = itb_db:prepare[[
SELECT meta FROM player WHERE name = :name
]]
stmt:bind_names{name = name}
for row in stmt:nrows() do
stmt:finalize()
return minetest.parse_json(row.meta)
end
stmt:finalize()
print("no such player in db", name)
return nil
end
function db.player_put_meta(name, meta)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection
local r = itb_db:exec("REPLACE INTO player_meta (name, meta) VALUES ('" .. name .. "', '" ..
minetest.write_json(meta) .. "');")
local stmt = itb_db:prepare[[
REPLACE INTO player_meta (name, meta) VALUES (:name, :meta)
]]
stmt:bind_names{name = name, meta = minetest.write_json(meta)}
local r = stmt:step()
stmt:finalize()
if not r then
print("error writing")
return false