summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--Changelog2
-rwxr-xr-xLedgerSMB/User.pm72
2 files changed, 38 insertions, 36 deletions
diff --git a/Changelog b/Changelog
index aec572c4..9406b5eb 100644
--- a/Changelog
+++ b/Changelog
@@ -12,7 +12,7 @@ Security:
* Audited Form.pm for SQL-injection problems and move to new API (Chris T)
* Audited BP.pm, CA.pm, CT.pm for SQL injection and moved to new API. (Chris T)
* Audited IS.pm for SQL injection and moved to new API. (Chris T)
-
+* Audited User.pm for SQL injection. (Chris T)
Localization:
* Moved localization files to standard codes (Seneca)
diff --git a/LedgerSMB/User.pm b/LedgerSMB/User.pm
index cd9f3728..fabcde51 100755
--- a/LedgerSMB/User.pm
+++ b/LedgerSMB/User.pm
@@ -23,7 +23,7 @@
#
#======================================================================
#
-# This file has NOT undergone whitespace cleanup.
+# This file has undergone whitespace cleanup.
#
#======================================================================
#
@@ -814,59 +814,61 @@ sub save_member {
sub delete_login {
- my ($self, $form) = @_;
+ my ($self, $form) = @_;
- my $dbh = DBI->connect($form->{dbconnect}, $form->{dbuser}, $form->{dbpasswd}, {AutoCommit} => 0) or $form->dberror;
+ my $dbh = DBI->connect(
+ $form->{dbconnect}, $form->{dbuser}, $form->{dbpasswd},
+ {AutoCommit => 0})
+ or $form->dberror;
- my $login = $form->{login};
- $login =~ s/@.*//;
- my $query = qq|SELECT id FROM employee
- WHERE login = '$login'|;
- my $sth = $dbh->prepare($query);
- $sth->execute || $form->dberror($query);
+ my $login = $form->{login};
+ $login =~ s/@.*//;
+ my $query = qq|SELECT id FROM employee WHERE login = ?|;
+ my $sth = $dbh->prepare($query);
+ $sth->execute($login) || $form->dberror($query);
- my ($id) = $sth->fetchrow_array;
- $sth->finish;
+ my ($id) = $sth->fetchrow_array;
+ $sth->finish;
- my $query = qq|UPDATE employee SET
- login = NULL,
- enddate = current_date
- WHERE login = '$login'|;
- $dbh->do($query);
-
- $dbh->commit;
- $dbh->disconnect;
+ my $query = qq|
+ UPDATE employee
+ SET login = NULL,
+ enddate = current_date
+ WHERE login = ?|;
+ $sth = $dbh->prepare($query);
+ $sth->execute($login);
+ $dbh->commit;
+ $dbh->disconnect;
}
sub config_vars {
- my @conf = qw(acs address businessnumber company countrycode
- currency dateformat dbconnect dbdriver dbhost dbname dboptions
- dbpasswd dbport dbuser email fax menuwidth name numberformat
- password printer role sid signature stylesheet tel
- templates timeout vclimit);
+ my @conf =
+ qw(acs address businessnumber company countrycode
+ currency dateformat dbconnect dbdriver dbhost dbname dboptions
+ dbpasswd dbport dbuser email fax menuwidth name numberformat
+ password printer role sid signature stylesheet tel templates
+ timeout vclimit);
- @conf;
+ @conf;
}
sub error {
- my ($self, $msg) = @_;
-
- if ($ENV{HTTP_USER_AGENT}) {
- print qq|Content-Type: text/html
+ my ($self, $msg) = @_;
-<body bgcolor=ffffff>
+ if ($ENV{HTTP_USER_AGENT}) {
+ print qq|Content-Type: text/html\n\n|.
+ qq|<body bgcolor=ffffff>\n\n|.
+ qq|<h2><font color=red>Error!</font></h2>\n|.
+ qq|<p><b>$msg</b>|;
-<h2><font color=red>Error!</font></h2>
-<p><b>$msg</b>|;
-
- }
+ }
- die "Error: $msg\n";
+ die "Error: $msg\n";
}