Done removing SQL injection issues from User.pm

git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/trunk@377 4979c152-3d1c-0410-bac9-87ea11338e46

2 files changed, 38 insertions, 36 deletions

diff --git a/Changelog b/Changelog
index aec572c4..9406b5eb 100644
--- a/Changelog
+++ b/Changelog
@@ -12,7 +12,7 @@ Security:
 * Audited Form.pm for SQL-injection problems and move to new API (Chris T)
 * Audited BP.pm, CA.pm, CT.pm for SQL injection and moved to new API. (Chris T)
 * Audited IS.pm for SQL injection and moved to new API. (Chris T)
-
+* Audited User.pm for SQL injection. (Chris T)
 
 Localization:
 * Moved localization files to standard codes (Seneca)
diff --git a/LedgerSMB/User.pm b/LedgerSMB/User.pm
index cd9f3728..fabcde51 100755
--- a/LedgerSMB/User.pm
+++ b/LedgerSMB/User.pm
@@ -23,7 +23,7 @@
 #
 #======================================================================
 #
-# This file has NOT undergone whitespace cleanup.
+# This file has undergone whitespace cleanup.
 #
 #======================================================================
 #
@@ -814,59 +814,61 @@ sub save_member {
 
 
 sub delete_login {
-  my ($self, $form) = @_;
+	my ($self, $form) = @_;
 
-  my $dbh = DBI->connect($form->{dbconnect}, $form->{dbuser}, $form->{dbpasswd}, {AutoCommit} => 0) or $form->dberror;
+	my $dbh = DBI->connect(
+		$form->{dbconnect}, $form->{dbuser}, $form->{dbpasswd}, 
+		{AutoCommit => 0}) 
+			or $form->dberror;
   
-  my $login = $form->{login};
-  $login =~ s/@.*//;
-  my $query = qq|SELECT id FROM employee
-                 WHERE login = '$login'|; 
-  my $sth = $dbh->prepare($query);
-  $sth->execute || $form->dberror($query);
+	my $login = $form->{login};
+	$login =~ s/@.*//;
+	my $query = qq|SELECT id FROM employee WHERE login = ?|; 
+	my $sth = $dbh->prepare($query);
+	$sth->execute($login) || $form->dberror($query);
   
-  my ($id) = $sth->fetchrow_array;
-  $sth->finish;
+	my ($id) = $sth->fetchrow_array;
+	$sth->finish;
 	
-  my $query = qq|UPDATE employee SET
-		 login = NULL,
-		 enddate = current_date
-		 WHERE login = '$login'|;
-  $dbh->do($query);
- 
-  $dbh->commit;
-  $dbh->disconnect;
+	my $query = qq|
+		UPDATE employee 
+		   SET login = NULL,
+		       enddate = current_date
+		 WHERE login = ?|;
+	$sth = $dbh->prepare($query);
+	$sth->execute($login); 
+	$dbh->commit;
+	$dbh->disconnect;
 
 }
 
 
 sub config_vars {
   
-  my @conf = qw(acs address businessnumber company countrycode
-             currency dateformat dbconnect dbdriver dbhost dbname dboptions
-	     dbpasswd dbport dbuser email fax menuwidth name numberformat
-	     password printer role sid signature stylesheet tel
-	     templates timeout vclimit);
+	my @conf = 
+		qw(acs address businessnumber company countrycode
+		currency dateformat dbconnect dbdriver dbhost dbname dboptions
+		dbpasswd dbport dbuser email fax menuwidth name numberformat
+		password printer role sid signature stylesheet tel templates 
+		timeout vclimit);
 
-  @conf;
+	@conf;
 
 }
 
 
 sub error {
-  my ($self, $msg) = @_;
-
-  if ($ENV{HTTP_USER_AGENT}) {
-    print qq|Content-Type: text/html
+	my ($self, $msg) = @_;
 
-<body bgcolor=ffffff>
+	if ($ENV{HTTP_USER_AGENT}) {
+		print qq|Content-Type: text/html\n\n|.
+			qq|<body bgcolor=ffffff>\n\n|.
+			qq|<h2><font color=red>Error!</font></h2>\n|.
+			qq|<p><b>$msg</b>|;
 
-<h2><font color=red>Error!</font></h2>
-<p><b>$msg</b>|;
-
-  }
+	}
   
-  die "Error: $msg\n";
+	die "Error: $msg\n";
   
 }