warden/rlgwebd
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
rlgwebd/sqlickrypt.c
John "Elwin" Edwards 41c84bcd40 sqlickrypt.c: begin converting to parametrized queries. 
Switch the check() function to use parametrized SQL queries instead of
contructing statements with strcat(), for obvious reasons.
2012-06-03 17:08:40 -07:00

155 lines
3.8 KiB
C
Raw Blame History

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <sqlite3.h>
#include <unistd.h>
#include <crypt.h>
#define DATABASE "/dgldir/dgamelaunch.db"
#define IBUFSIZE 200
int xcallback(void *targ, int ncols, char **vals, char **colnames) {
char *pws;
int j;
pws = *((char **) targ);
if (pws == NULL) {
for (j = 0; j < ncols; j++) {
if (!strcmp(colnames[j], "password"))
*((char **) targ) = strdup(vals[j]);
}
}
/* Otherwise, this isn't the first row. */
return 0;
}
/* Simple callback, for checking if there are any matches. */
int searchcallback(void *targ, int ncols, char **vals, char **colnames) {
*((int *) targ) = 1;
return 0;
}
int check(char *uname, char *pw) {
char *pwhash, *comphash;
char *query = "SELECT password FROM dglusers WHERE username=?;";
int status;
sqlite3 *db;
sqlite3_stmt *qstmt;
status = sqlite3_open(DATABASE, &db);
if (status) {
sqlite3_close(db);
return 3;
}
sqlite3_prepare_v2(db, query, -1, &qstmt, NULL);
if (qstmt == NULL) {
sqlite3_close(db);
return 3;
}
status = sqlite3_bind_text(qstmt, 1, uname, -1, SQLITE_TRANSIENT);
if (status) {
sqlite3_finalize(qstmt);
sqlite3_close(db);
return 3;
}
status = sqlite3_step(qstmt);
if (status != SQLITE_ROW) {
sqlite3_finalize(qstmt);
sqlite3_close(db);
if (status == SQLITE_DONE)
return 2; /* User not found */
return 3;
}
pwhash = strdup((char *) sqlite3_column_text(qstmt, 0));
/* Clean up */
sqlite3_finalize(qstmt);
sqlite3_close(db);
/* Check the password */
comphash = crypt(pw, pwhash);
if (!strcmp(pwhash, comphash))
status = 0;
else
status = 1;
free(pwhash);
return status;
}
int insertuser(char *uname, char *pw, char *email) {
char finduser_sql[160];
int status;
sqlite3 *db;
strcpy(finduser_sql, "BEGIN; SELECT * FROM dglusers WHERE username='");
strncat(finduser_sql, uname, 40);
strcat(finduser_sql, "';");
status = sqlite3_open(DATABASE, &db);
if (status) {
sqlite3_close(db);
return 1;
}
status = 0;
sqlite3_exec(db, finduser_sql, searchcallback, (void *) &status, NULL);
if (!status) {
/* FIXME This is ugly, and email is unsanitzed. */
strcpy(finduser_sql, "INSERT INTO dglusers (username, password, email) VALUES ('");
strncat(finduser_sql, uname, 20);
strcat(finduser_sql, "', '");
strcat(finduser_sql, crypt(pw, pw));
strcat(finduser_sql, "', '");
strncat(finduser_sql, email, 40);
strcat(finduser_sql, "');");
sqlite3_exec(db, finduser_sql, NULL, NULL, NULL);
}
sqlite3_exec(db, "COMMIT;", NULL, NULL, NULL);
sqlite3_close(db);
return status;
}
int main(int argc, char *argv[]) {
char ibuf[IBUFSIZE], *uname, *pw, *email;
char *cptr; // Utility pointer
int status;
/* Read in the username and password */
fgets(ibuf, IBUFSIZE, stdin);
uname = ibuf;
pw = strchr(uname, '\n');
if (pw == NULL)
exit(4); /* Truncated */
*pw = '\0';
pw++;
fgets(pw, IBUFSIZE - (pw - ibuf), stdin);
if (pw[strlen(pw) - 1] == '\n')
pw[strlen(pw) - 1] = '\0';
else
exit(4); /* Truncated */
if (argc > 1 && !strcmp(argv[1], "register")) {
email = pw + strlen(pw) + 1;
fgets(email, IBUFSIZE - (email - ibuf), stdin);
if (email[strlen(email) - 1] == '\n')
email[strlen(email) - 1] = '\0';
else
exit(4);
for (cptr = email; *cptr != '\0'; cptr++) {
if (!isalnum(*cptr) && !strchr("@._-", *cptr)) {
exit(4);
}
}
}
/* Sanitize the username, because it gets put into a query. */
for (cptr = uname; *cptr != '\0'; cptr++) {
if (!isalnum(*cptr)) {
exit(4);
}
}
if (argc == 1 || !strcmp(argv[1], "check"))
status = check(uname, pw);
else if (!strcmp(argv[1], "register")) {
status = insertuser(uname, pw, email);
}
else
status = 127;
return status;
}
Reference in a new issue View git blame Copy permalink