1
0
mirror of https://github.com/Yubico/yubikey-ksm.git synced 2024-12-11 09:24:14 +01:00

Use prepared statement for query

This commit uses a prepared statement for the querying of the id. It's a bit cleaner and avoids the use of addslashes(). PDO does the preparing of the statements for databases that do not support it, so that should be OK. 

This commit changes the query to have an or for active=1 and active=true because sqlite does not support active=1 and returns not results.

This commit tests if $sth->fetch() succeeded before using the result as as array to prevent notices.
This commit is contained in:
Mrten 2013-09-27 12:12:08 +02:00
parent 113c3193ff
commit e2975808a5

View File

@ -66,27 +66,50 @@ else {
$dbh = oci_connect($db_username, $db_password, $db_dsn);
if (!$dbh) {
$error = oci_error();
syslog(LOG_err, "Database error: " . $error["message"]);
syslog(LOG_ERR, "Database error: " . $error["message"]);
die("ERR Database error\n");
}
}
$sql = "SELECT aeskey, internalname FROM yubikeys " .
"WHERE publicname = '$id' AND active = 1";
if (!$use_oci) {
$result = $dbh->query($sql);
if (!$result) {
// use OR for active because some databases do support booleans (sqlite) and some do not.
$sql = "SELECT aeskey, internalname FROM yubikeys" .
" WHERE publicname = :id AND (active = 'true' OR active=1);
$sth = $dbh->prepare($sql);
if ($sth === false) {
syslog(LOG_ERR, "Database prepare error. Query: " . $sql . " Error: " .
print_r ($dbh->errorInfo (), true));
die("ERR Database error\n");
}
$result = $sth->bindParam(':id', $id, PDO::PARAM_STR, 16);
if ($result === false) {
syslog(LOG_ERR, "Database bind error. Query: " . $sql . " Error: " .
print_r ($dbh->errorInfo (), true));
die("ERR Database error\n");
}
$result = $sth->execute();
if ($result === false) {
syslog(LOG_ERR, "Database query error. Query: " . $sql . " Error: " .
print_r ($dbh->errorInfo (), true));
die("ERR Database error\n");
}
$row = $result->fetch(PDO::FETCH_ASSOC);
$row = $sth->fetch(PDO::FETCH_ASSOC);
if ($row === false ) {
syslog(LOG_INFO, "Unknown yubikey: " . $otp);
die("ERR Unknown yubikey\n");
}
$aeskey = $row['aeskey'];
$internalname = $row['internalname'];
}
else {
$sql = "SELECT aeskey, internalname FROM yubikeys " .
"WHERE publicname = '$id' AND active = 1";
$result = oci_parse($dbh, $sql);
$execute = oci_execute($result);
if (!$execute) {