diff options
-rw-r--r-- | src/modules/extra/m_sql.h | 2 | ||||
-rw-r--r-- | src/modules/extra/m_sqlauth.cpp | 18 | ||||
-rw-r--r-- | src/modules/extra/m_sqloper.cpp | 32 |
3 files changed, 7 insertions, 45 deletions
diff --git a/src/modules/extra/m_sql.h b/src/modules/extra/m_sql.h index 49782b9b4..2e185d978 100644 --- a/src/modules/extra/m_sql.h +++ b/src/modules/extra/m_sql.h @@ -232,7 +232,7 @@ class SQLQuery rowresult = NULL; } - std::string Sanitise(std::string crap) + static std::string Sanitise(const std::string& crap) { std::string temp = ""; for (unsigned int q = 0; q < crap.length(); q++) diff --git a/src/modules/extra/m_sqlauth.cpp b/src/modules/extra/m_sqlauth.cpp index f27c0c28b..771749075 100644 --- a/src/modules/extra/m_sqlauth.cpp +++ b/src/modules/extra/m_sqlauth.cpp @@ -105,7 +105,7 @@ class ModuleSQLAuth : public Module } } - bool CheckCredentials(const std::string &username, std::string password) + bool CheckCredentials(const std::string &s_username, const std::string &s_password) { bool found = false; @@ -114,20 +114,8 @@ class ModuleSQLAuth : public Module return false; // sanitize the password (we dont want any mysql insertion exploits!) - std::string temp = ""; - for (unsigned int q = 0; q < password.length(); q++) - { - if (password[q] == '\'') - { - temp = temp + "\'"; - } - else if (password[q] == '"') - { - temp = temp + "\\\""; - } - else temp = temp + password[q]; - } - password = temp; + std::string username = SQLQuery::Sanitise(s_username); + std::string password = SQLQuery::Sanitise(s_password); // Create a request containing the SQL query and send it to m_sql.so std::string querystr("SELECT * FROM "+usertable+" WHERE "+userfield+"='"+username+"' AND "+passfield+"="+encryption+"'"+password+"')"); diff --git a/src/modules/extra/m_sqloper.cpp b/src/modules/extra/m_sqloper.cpp index 8707f1580..08ac72bcf 100644 --- a/src/modules/extra/m_sqloper.cpp +++ b/src/modules/extra/m_sqloper.cpp @@ -92,7 +92,7 @@ class ModuleSQLOper : public Module return 0; } - bool LookupOper(std::string username, std::string password, userrec* user) + bool LookupOper(const std::string &s_username, const std::string &s_password, userrec* user) { bool found = false; @@ -101,34 +101,8 @@ class ModuleSQLOper : public Module return false; // sanitize the password (we dont want any mysql insertion exploits!) - std::string temp = ""; - for (unsigned int q = 0; q < password.length(); q++) - { - if (password[q] == '\'') - { - temp = temp + "\'"; - } - else if (password[q] == '"') - { - temp = temp + "\\\""; - } - else temp = temp + password[q]; - } - password = temp; - temp = ""; - for (unsigned int v = 0; v < username.length(); v++) - { - if (username[v] == '\'') - { - temp = temp + "\'"; - } - if (username[v] == '"') - { - temp = temp + "\\\""; - } - else temp = temp + username[v]; - } - username = temp; + std::string username = SQLQuery::Sanitise(s_username); + std::string password = SQLQuery::Sanitise(s_password); // Create a request containing the SQL query and send it to m_sql.so SQLRequest* query = new SQLRequest(SQL_RESULT,dbid,"SELECT username,password,hostname,type FROM ircd_opers WHERE username='"+username+"' AND password=md5('"+password+"')"); |