Mercurial > hg > rlgwebd
comparison sqlickrypt.c @ 24:9d5da43c0e83
sqlickrypt.c: begin converting to parametrized queries.
Switch the check() function to use parametrized SQL queries instead of
contructing statements with strcat(), for obvious reasons.
author | John "Elwin" Edwards <elwin@sdf.org> |
---|---|
date | Sun, 03 Jun 2012 17:08:40 -0700 |
parents | 59ea628abb81 |
children | f275d816e857 |
comparison
equal
deleted
inserted
replaced
23:21de24c08aed | 24:9d5da43c0e83 |
---|---|
28 *((int *) targ) = 1; | 28 *((int *) targ) = 1; |
29 return 0; | 29 return 0; |
30 } | 30 } |
31 | 31 |
32 int check(char *uname, char *pw) { | 32 int check(char *uname, char *pw) { |
33 char finduser_sql[160]; | 33 char *pwhash, *comphash; |
34 char *pwhash = NULL, *comphash; | 34 char *query = "SELECT password FROM dglusers WHERE username=?;"; |
35 int status; | 35 int status; |
36 sqlite3 *db; | 36 sqlite3 *db; |
37 | 37 sqlite3_stmt *qstmt; |
38 strcpy(finduser_sql, "SELECT * FROM dglusers WHERE username='"); | |
39 strncat(finduser_sql, uname, 40); | |
40 strcat(finduser_sql, "';"); | |
41 | 38 |
42 status = sqlite3_open(DATABASE, &db); | 39 status = sqlite3_open(DATABASE, &db); |
43 if (status) { | 40 if (status) { |
44 sqlite3_close(db); | 41 sqlite3_close(db); |
45 return 1; | 42 return 3; |
46 } | 43 } |
47 sqlite3_exec(db, finduser_sql, xcallback, (void *) &pwhash, NULL); | 44 sqlite3_prepare_v2(db, query, -1, &qstmt, NULL); |
45 if (qstmt == NULL) { | |
46 sqlite3_close(db); | |
47 return 3; | |
48 } | |
49 status = sqlite3_bind_text(qstmt, 1, uname, -1, SQLITE_TRANSIENT); | |
50 if (status) { | |
51 sqlite3_finalize(qstmt); | |
52 sqlite3_close(db); | |
53 return 3; | |
54 } | |
55 status = sqlite3_step(qstmt); | |
56 if (status != SQLITE_ROW) { | |
57 sqlite3_finalize(qstmt); | |
58 sqlite3_close(db); | |
59 if (status == SQLITE_DONE) | |
60 return 2; /* User not found */ | |
61 return 3; | |
62 } | |
63 pwhash = strdup((char *) sqlite3_column_text(qstmt, 0)); | |
64 /* Clean up */ | |
65 sqlite3_finalize(qstmt); | |
66 sqlite3_close(db); | |
48 | 67 |
49 sqlite3_close(db); | 68 /* Check the password */ |
50 /* Now check the password. */ | |
51 if (pwhash == NULL) { | |
52 return 2; | |
53 } | |
54 comphash = crypt(pw, pwhash); | 69 comphash = crypt(pw, pwhash); |
55 if (!strcmp(pwhash, comphash)) | 70 if (!strcmp(pwhash, comphash)) |
56 return 0; | 71 status = 0; |
57 return 1; | 72 else |
73 status = 1; | |
74 free(pwhash); | |
75 return status; | |
58 } | 76 } |
59 | 77 |
60 int insertuser(char *uname, char *pw, char *email) { | 78 int insertuser(char *uname, char *pw, char *email) { |
61 char finduser_sql[160]; | 79 char finduser_sql[160]; |
62 int status; | 80 int status; |