sofar/insidethebox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add comments in db about SQL injection needing to be fixed

Browse Source
This commit is contained in:
Ekdohibs 2017-01-26 19:17:28 +01:00
parent de06958900
commit ac137e1484
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mods/db/init.lua
View File

@ -68,6 +68,7 @@ assert(itb_db:exec[[
db = {} db = {}
function db.player_get_meta(name) function db.player_get_meta(name)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection
for row in itb_db:nrows("SELECT meta FROM player WHERE name = '" .. name .. "';") do for row in itb_db:nrows("SELECT meta FROM player WHERE name = '" .. name .. "';") do
return minetest.parse_json(row.meta) return minetest.parse_json(row.meta)
end end
@ -77,6 +78,7 @@ function db.player_get_meta(name)
end end
function db.player_put_meta(name, meta) function db.player_put_meta(name, meta)
-- FIXME use http://luasqlite.luaforge.net/lsqlite3.html#db:prepare to prevent SQL injection
local r = itb_db:exec("REPLACE INTO player_meta (name, meta) VALUES ('" .. name .. "', '" .. local r = itb_db:exec("REPLACE INTO player_meta (name, meta) VALUES ('" .. name .. "', '" ..
minetest.write_json(meta) .. "');") minetest.write_json(meta) .. "');")
if not r then if not r then