From e2975808a562b90da248d7e48e7afe5b5dfff569 Mon Sep 17 00:00:00 2001
From: Mrten <bugzilla@ii.nl>
Date: Fri, 27 Sep 2013 12:12:08 +0200
Subject: [PATCH] Use prepared statement for query

This commit uses a prepared statement for the querying of the id. It's a bit cleaner and avoids the use of addslashes(). PDO does the preparing of the statements for databases that do not support it, so that should be OK.

This commit changes the query to have an or for active=1 and active=true because sqlite does not support active=1 and returns not results.

This commit tests if $sth->fetch() succeeded before using the result as as array to prevent notices.
---
 ykksm-decrypt.php | 37 ++++++++++++++++++++++++++++++-------
 1 file changed, 30 insertions(+), 7 deletions(-)

diff --git a/ykksm-decrypt.php b/ykksm-decrypt.php
index 045e2ca..b99d947 100644
--- a/ykksm-decrypt.php
+++ b/ykksm-decrypt.php
@@ -66,27 +66,50 @@ else {
   $dbh = oci_connect($db_username, $db_password, $db_dsn);
   if (!$dbh) {
     $error = oci_error();
-    syslog(LOG_err, "Database error: " . $error["message"]);
+    syslog(LOG_ERR, "Database error: " . $error["message"]);
     die("ERR Database error\n");
    }
  }
 
-$sql = "SELECT aeskey, internalname FROM yubikeys " .
-       "WHERE publicname = '$id' AND active = 1";
 
 if (!$use_oci) {
-  $result = $dbh->query($sql);
-  if (!$result) {
+  // use OR for active because some databases do support booleans (sqlite) and some do not.
+  $sql = "SELECT aeskey, internalname FROM yubikeys" .
+         " WHERE publicname = :id AND (active = 'true' OR active=1);
+         
+  $sth = $dbh->prepare($sql);
+  if ($sth === false) {
+    syslog(LOG_ERR, "Database prepare error.  Query: " . $sql . " Error: " .
+                     print_r ($dbh->errorInfo (), true));
+    die("ERR Database error\n");
+  }
+  
+  $result = $sth->bindParam(':id', $id, PDO::PARAM_STR, 16);
+  if ($result === false) {
+    syslog(LOG_ERR, "Database bind error.  Query: " . $sql . " Error: " .
+                     print_r ($dbh->errorInfo (), true));
+    die("ERR Database error\n");
+  }
+ 
+  $result = $sth->execute();
+  if ($result === false) {
     syslog(LOG_ERR, "Database query error.  Query: " . $sql . " Error: " .
            print_r ($dbh->errorInfo (), true));
     die("ERR Database error\n");
-   }
+  }
+
+  $row = $sth->fetch(PDO::FETCH_ASSOC);
+  if ($row === false ) {
+    syslog(LOG_INFO, "Unknown yubikey: " . $otp);
+    die("ERR Unknown yubikey\n");
+  }
 
-  $row = $result->fetch(PDO::FETCH_ASSOC);
   $aeskey = $row['aeskey'];
   $internalname = $row['internalname'];
  }
 else {
+  $sql = "SELECT aeskey, internalname FROM yubikeys " .
+       "WHERE publicname = '$id' AND active = 1";  
   $result = oci_parse($dbh, $sql);
   $execute = oci_execute($result);
   if (!$execute) {