mirror of
https://github.com/Yubico/yubikey-ksm.git
synced 2024-12-12 21:08:55 +01:00
Use prepared statement for query
This commit uses a prepared statement for the querying of the id. It's a bit cleaner and avoids the use of addslashes(). PDO does the preparing of the statements for databases that do not support it, so that should be OK. This commit changes the query to have an or for active=1 and active=true because sqlite does not support active=1 and returns not results. This commit tests if $sth->fetch() succeeded before using the result as as array to prevent notices.
This commit is contained in:
parent
113c3193ff
commit
e2975808a5
@ -66,27 +66,50 @@ else {
|
|||||||
$dbh = oci_connect($db_username, $db_password, $db_dsn);
|
$dbh = oci_connect($db_username, $db_password, $db_dsn);
|
||||||
if (!$dbh) {
|
if (!$dbh) {
|
||||||
$error = oci_error();
|
$error = oci_error();
|
||||||
syslog(LOG_err, "Database error: " . $error["message"]);
|
syslog(LOG_ERR, "Database error: " . $error["message"]);
|
||||||
die("ERR Database error\n");
|
die("ERR Database error\n");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$sql = "SELECT aeskey, internalname FROM yubikeys " .
|
|
||||||
"WHERE publicname = '$id' AND active = 1";
|
|
||||||
|
|
||||||
if (!$use_oci) {
|
if (!$use_oci) {
|
||||||
$result = $dbh->query($sql);
|
// use OR for active because some databases do support booleans (sqlite) and some do not.
|
||||||
if (!$result) {
|
$sql = "SELECT aeskey, internalname FROM yubikeys" .
|
||||||
|
" WHERE publicname = :id AND (active = 'true' OR active=1);
|
||||||
|
|
||||||
|
$sth = $dbh->prepare($sql);
|
||||||
|
if ($sth === false) {
|
||||||
|
syslog(LOG_ERR, "Database prepare error. Query: " . $sql . " Error: " .
|
||||||
|
print_r ($dbh->errorInfo (), true));
|
||||||
|
die("ERR Database error\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
$result = $sth->bindParam(':id', $id, PDO::PARAM_STR, 16);
|
||||||
|
if ($result === false) {
|
||||||
|
syslog(LOG_ERR, "Database bind error. Query: " . $sql . " Error: " .
|
||||||
|
print_r ($dbh->errorInfo (), true));
|
||||||
|
die("ERR Database error\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
$result = $sth->execute();
|
||||||
|
if ($result === false) {
|
||||||
syslog(LOG_ERR, "Database query error. Query: " . $sql . " Error: " .
|
syslog(LOG_ERR, "Database query error. Query: " . $sql . " Error: " .
|
||||||
print_r ($dbh->errorInfo (), true));
|
print_r ($dbh->errorInfo (), true));
|
||||||
die("ERR Database error\n");
|
die("ERR Database error\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
$row = $result->fetch(PDO::FETCH_ASSOC);
|
$row = $sth->fetch(PDO::FETCH_ASSOC);
|
||||||
|
if ($row === false ) {
|
||||||
|
syslog(LOG_INFO, "Unknown yubikey: " . $otp);
|
||||||
|
die("ERR Unknown yubikey\n");
|
||||||
|
}
|
||||||
|
|
||||||
$aeskey = $row['aeskey'];
|
$aeskey = $row['aeskey'];
|
||||||
$internalname = $row['internalname'];
|
$internalname = $row['internalname'];
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
$sql = "SELECT aeskey, internalname FROM yubikeys " .
|
||||||
|
"WHERE publicname = '$id' AND active = 1";
|
||||||
$result = oci_parse($dbh, $sql);
|
$result = oci_parse($dbh, $sql);
|
||||||
$execute = oci_execute($result);
|
$execute = oci_execute($result);
|
||||||
if (!$execute) {
|
if (!$execute) {
|
||||||
|
Loading…
Reference in New Issue
Block a user