[vhffs-dev] [1552] rewrote Robots::Mysql, fixed SQL injection possibilities

[ Thread Index | Date Index | More vhffs.org/vhffs-dev Archives ]


Revision: 1552
Author:   gradator
Date:     2010-03-07 03:50:04 +0100 (Sun, 07 Mar 2010)
Log Message:
-----------
rewrote Robots::Mysql, fixed SQL injection possibilities

Modified Paths:
--------------
    trunk/vhffs-api/src/Vhffs/Robots/Mysql.pm

Modified: trunk/vhffs-api/src/Vhffs/Robots/Mysql.pm
===================================================================
--- trunk/vhffs-api/src/Vhffs/Robots/Mysql.pm	2010-03-06 00:07:46 UTC (rev 1551)
+++ trunk/vhffs-api/src/Vhffs/Robots/Mysql.pm	2010-03-07 02:50:04 UTC (rev 1552)
@@ -42,116 +42,109 @@
 use Vhffs::Constants;
 use Vhffs::Functions;
 
+
+sub mysql_admin_db_connect
+{
+	use DBI;
+	my $vhffs = shift;
+	my $mysqlconfig = $vhffs->get_config->get_service('mysql');
+	my $dbuser = $mysqlconfig->{'username'};
+	my $dbpass = $mysqlconfig->{'password'};
+	my $dbhost = $mysqlconfig->{'host'};
+
+	return DBI->connect( 'DBI:mysql:dbname=mysql;host='.$dbhost , $dbuser , $dbpass );
+}
+
+
 sub delete_db
 {
 	my $main = shift;
 	my $db = shift;
+	return unless defined $db;
 
+	my $dbi = mysql_admin_db_connect( $main );
+	return unless $dbi;
+
 	my $query;
-		
-	if( defined $db )
-	{
-		$db->add_history( "Ok, robots takes the destruction of this database" );
-		my $dbi = mysql_admin_db_connect( $main );
-		if( $dbi != 1 )
-		{
-#			$query = "REVOKE ALL PRIVILEGES ON `".$db->get_dbname."` . * FROM \"".$db->get_dbname."\"";
+	$db->add_history( 'Ok, robots takes the destruction of this database' );
 
-			$query = "DELETE FROM `user` WHERE User = '".$db->get_dbname."'";
-			$dbi->do( $query ) or $db->add_history("Error while grant access to the database");
+	$query = 'DELETE FROM `user` WHERE User = \''.$db->get_dbname.'\'';
+	$dbi->do( $query ) or $db->add_history('Error while grant access to the database');
 
-			$query = "DELETE FROM `db` WHERE User = '".$db->get_dbname."'";
-			$dbi->do( $query ) or $db->add_history("Error while grant access to the database");
+	$query = 'DELETE FROM `db` WHERE User = \''.$db->get_dbname.'\'';
+	$dbi->do( $query ) or $db->add_history('Error while grant access to the database');
 
-			$query = "DELETE FROM `tables_priv` WHERE User = '".$db->get_dbname."'";
-			$dbi->do( $query ) or $db->add_history("Error while grant access to the database");
+	$query = 'DELETE FROM `tables_priv` WHERE User = \''.$db->get_dbname.'\'';
+	$dbi->do( $query ) or $db->add_history('Error while grant access to the database');
 
-			$query = "DELETE FROM `columns_priv` WHERE User = '".$db->get_dbname."'";
-			$dbi->do( $query ) or $db->add_history("Error while grant access to the database");
+	$query = 'DELETE FROM `columns_priv` WHERE User = \''.$db->get_dbname.'\'';
+	$dbi->do( $query ) or $db->add_history('Error while grant access to the database');
 
-			$query = "DROP DATABASE `".$db->get_dbname."`";
-			$dbi->do( $query ) or $db->add_history("Error while creating the database");
+	$query = 'DROP DATABASE `'.$db->get_dbname.'`';
+	$dbi->do( $query ) or $db->add_history('Error while deleting the database');
 
-			$dbi->do( "FLUSH PRIVILEGES" );
-			$dbi->disconnect;
-		}
-		$db->add_history( "Robots finished the destruction" );
-		$db->delete;
-	}
+	$dbi->do( 'FLUSH PRIVILEGES' );
+	$dbi->disconnect;
+
+	$db->add_history( 'Robots finished the destruction' );
+	$db->delete;
 }
 
 
 
 sub create_db
 {       
-		my $main = shift;
-		my $db = shift;
+	my $main = shift;
+	my $db = shift;
+	return unless defined $db;
 
-        my $query;
-                
-        if( defined $db )
-        {
-                $db->add_history( "Ok, robots takes the creation of this database" );
-                my $dbi = mysql_admin_db_connect( $main );
-                if( $dbi != 1 )
-                {
-                        # create the database
-                        $query = "CREATE DATABASE `".$db->get_dbname."`";
-                        $dbi->do( $query ) or $db->add_history("Error while creating the database");
+	my $dbi = mysql_admin_db_connect( $main );
+	return unless $dbi;
 
-                        # grant privileges to user
-#                       $query = "GRANT ALL PRIVILEGES ON `".$db->get_dbname."`.* TO `".$db->get_dbname."`@% IDENTIFIED BY '".$db->get_dbpassword."'";
-                        $query = "GRANT ALL ON ".$db->get_dbname.".* TO `".$db->get_dbname."` IDENTIFIED BY '".$db->get_dbpassword."'";
-                        $dbi->do( $query ) or $db->add_history( "An error occured while granting privileges to an admin user" );
+	my $query;
+	$db->add_history( 'Ok, robots takes the creation of this database' );
 
-                        $dbi->do( "FLUSH PRIVILEGES" );
-                        $dbi->disconnect;
-                }
-                $db->add_history( "Robots finished the creation" );
-                $db->set_status( Vhffs::Constants::ACTIVATED );
-                $db->commit;
-				$db->blank_password;
-        }
-}
+	# create the database
+	$query = 'CREATE DATABASE `'.$db->get_dbname.'`';
+	$dbi->do( $query ) or $db->add_history('Error while creating the database');
 
+	# grant privileges to user
+	$query = 'GRANT ALL ON '.$db->get_dbname.'.* TO '.$db->get_dbname.' IDENTIFIED BY ?';
+	$dbi->do( $query, undef, $db->get_dbpassword ) or $db->add_history( 'An error occured while granting privileges to an admin user' );
 
+	$dbi->do( 'FLUSH PRIVILEGES' );
+	$dbi->disconnect;
 
-sub mysql_admin_db_connect
-{
-	use DBI;
-	my $vhffs = shift;
-	my $mysqlconfig = $vhffs->get_config->get_service('mysql');
-	my $dbuser = $mysqlconfig->{'username'};
-	my $dbpass = $mysqlconfig->{'password'};
-	my $dbhost = $mysqlconfig->{'host'};
-
-	return DBI->connect( "DBI:mysql:dbname=mysql;host=$dbhost",$dbuser,$dbpass ) or -1;
+	$db->add_history( 'Robots finished the creation' );
+	$db->set_status( Vhffs::Constants::ACTIVATED );
+	$db->commit;
+	$db->blank_password;
 }
 
+
+
 sub update_db
 {
-		my $main = shift;
-		my $db = shift;
+	my $main = shift;
+	my $db = shift;
+	return unless defined $db;
 
-        my $query;
+	my $dbi = mysql_admin_db_connect( $main );
+	return unless $dbi;
 
-        if( defined $db )
-        {
-                $db->add_history( "Ok, will change password for this database" );
-                my $dbi = mysql_admin_db_connect( $main );
-                if( $dbi != 1 )
-                {
-                        $query = 'UPDATE user SET PASSWORD=PASSWORD(?) WHERE user = ?';
-                        $dbi->do( $query, undef, $db->get_dbpassword, $db->get_dbname) or $db->add_history("Error while grant access to the database");
+	my $query;
+	$db->add_history( 'Ok, will change password for this database' );
 
-                        $dbi->do( 'FLUSH PRIVILEGES' );
-                        $dbi->disconnect;
-                }
-                $db->add_history( "Robots changed the password for this database" );
-                $db->set_status( Vhffs::Constants::ACTIVATED );
-                $db->commit;
-		$db->blank_password;
-        }
+	$query = 'UPDATE user SET PASSWORD=PASSWORD(?) WHERE user = ?';
+	$dbi->do( $query, undef, $db->get_dbpassword, $db->get_dbname) or $db->add_history('Error while grant access to the database');
+
+	$dbi->do( 'FLUSH PRIVILEGES' );
+	$dbi->disconnect;
+
+	$db->add_history( 'Robots changed the password for this database' );
+	$db->set_status( Vhffs::Constants::ACTIVATED );
+	$db->commit;
+	$db->blank_password;
 }
 
 1;


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/