aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-10-12 08:16:54 +0000
committerlpsolit%gmail.com <>2005-10-12 08:16:54 +0000
commitd17d6f9f752f2b98e838232262f583b18ff0490a (patch)
tree6cd67b1d2ff5a63e2162cfa7cd433913ca7b981e /token.cgi
parentBug 106003: Dependency tree does not show the summary of the root bug - Patch... (diff)
downloadbugzilla-d17d6f9f752f2b98e838232262f583b18ff0490a.tar.gz
bugzilla-d17d6f9f752f2b98e838232262f583b18ff0490a.tar.bz2
bugzilla-d17d6f9f752f2b98e838232262f583b18ff0490a.zip
Bug 303697: Eliminate deprecated Bugzilla::DB routines from token.cgi - Patch by Teemu Mannermaa <wicked@etlicon.fi> r=LpSolit a=justdave
Diffstat (limited to 'token.cgi')
-rwxr-xr-xtoken.cgi82
1 files changed, 42 insertions, 40 deletions
diff --git a/token.cgi b/token.cgi
index 07f6c3d85..6b2eb2b64 100755
--- a/token.cgi
+++ b/token.cgi
@@ -65,20 +65,20 @@ $::action = $cgi->param('a');
if ($cgi->param('t')) {
# Assign the token and its SQL quoted equivalent to global variables.
$::token = $cgi->param('t');
- $::quotedtoken = SqlQuote($::token);
# Make sure the token contains only valid characters in the right amount.
my $validationerror = ValidatePassword($::token);
if ($validationerror) {
ThrowUserError("token_invalid");
}
-
+ trick_taint($::token); # Only used in placeholders
Bugzilla::Token::CleanTokenTable();
# Make sure the token exists in the database.
- SendSQL( "SELECT tokentype FROM tokens WHERE token = $::quotedtoken" );
- (my $tokentype = FetchSQLData()) || ThrowUserError("token_inexistent");
+ my ($tokentype) = $dbh->selectrow_array('SELECT tokentype FROM tokens
+ WHERE token = ?', undef, $::token);
+ $tokentype || ThrowUserError("token_inexistent");
# Make sure the token is the correct type for the action being taken.
if ( grep($::action eq $_ , qw(cfmpw cxlpw chgpw)) && $tokentype ne 'password' ) {
@@ -115,11 +115,12 @@ if ( $::action eq 'reqpw' ) {
|| ThrowUserError('illegal_email_address',
{addr => $cgi->param('loginname')});
- my $quotedloginname = SqlQuote($cgi->param('loginname'));
- SendSQL("SELECT userid FROM profiles WHERE " .
- $dbh->sql_istrcmp('login_name', $quotedloginname));
- FetchSQLData()
- || ThrowUserError("account_inexistent");
+ my $loginname = $cgi->param('loginname');
+ trick_taint($loginname); # Used only in a placeholder
+ my ($user_id) = $dbh->selectrow_array('SELECT userid FROM profiles WHERE ' .
+ $dbh->sql_istrcmp('login_name', '?'),
+ undef, $loginname);
+ $user_id || ThrowUserError("account_inexistent");
}
# If the user is changing their password, make sure they submitted a new
@@ -197,21 +198,22 @@ sub cancelChangePassword {
sub changePassword {
my $dbh = Bugzilla->dbh;
- # Quote the password and token for inclusion into SQL statements.
+ # Create a crypted version of the new password
my $cryptedpassword = bz_crypt($cgi->param('password'));
- my $quotedpassword = SqlQuote($cryptedpassword);
+ trick_taint($cryptedpassword); # Used only in a placeholder
# Get the user's ID from the tokens table.
- SendSQL("SELECT userid FROM tokens WHERE token = $::quotedtoken");
- my $userid = FetchSQLData();
+ my ($userid) = $dbh->selectrow_array('SELECT userid FROM tokens
+ WHERE token = ?', undef, $::token);
# Update the user's password in the profiles table and delete the token
# from the tokens table.
$dbh->bz_lock_tables('profiles WRITE', 'tokens WRITE');
- SendSQL("UPDATE profiles
- SET cryptpassword = $quotedpassword
- WHERE userid = $userid");
- SendSQL("DELETE FROM tokens WHERE token = $::quotedtoken");
+ $dbh->do(q{UPDATE profiles
+ SET cryptpassword = ?
+ WHERE userid = ?},
+ undef, ($cryptedpassword, $userid) );
+ $dbh->do('DELETE FROM tokens WHERE token = ?', undef, $::token);
$dbh->bz_unlock_tables();
Bugzilla->logout_user_by_id($userid);
@@ -237,11 +239,10 @@ sub changeEmail {
my $dbh = Bugzilla->dbh;
# Get the user's ID from the tokens table.
- SendSQL("SELECT userid, eventdata FROM tokens
- WHERE token = $::quotedtoken");
- my ($userid, $eventdata) = FetchSQLData();
+ my ($userid, $eventdata) = $dbh->selectrow_array(
+ q{SELECT userid, eventdata FROM tokens
+ WHERE token = ?}, undef, $::token);
my ($old_email, $new_email) = split(/:/,$eventdata);
- my $quotednewemail = SqlQuote($new_email);
# Check the user entered the correct old email address
if(lc($cgi->param('email')) ne lc($old_email)) {
@@ -258,12 +259,13 @@ sub changeEmail {
# Update the user's login name in the profiles table and delete the token
# from the tokens table.
$dbh->bz_lock_tables('profiles WRITE', 'tokens WRITE');
- SendSQL("UPDATE profiles
- SET login_name = $quotednewemail
- WHERE userid = $userid");
- SendSQL("DELETE FROM tokens WHERE token = $::quotedtoken");
- SendSQL("DELETE FROM tokens WHERE userid = $userid
- AND tokentype = 'emailnew'");
+ $dbh->do(q{UPDATE profiles
+ SET login_name = ?
+ WHERE userid = ?},
+ undef, ($new_email, $userid));
+ $dbh->do('DELETE FROM tokens WHERE token = ?', undef, $::token);
+ $dbh->do(q{DELETE FROM tokens WHERE userid = ?
+ AND tokentype = 'emailnew'}, undef, $userid);
$dbh->bz_unlock_tables();
# The email address has been changed, so we need to rederive the groups
@@ -285,25 +287,25 @@ sub cancelChangeEmail {
my $dbh = Bugzilla->dbh;
# Get the user's ID from the tokens table.
- SendSQL("SELECT userid, tokentype, eventdata FROM tokens
- WHERE token = $::quotedtoken");
- my ($userid, $tokentype, $eventdata) = FetchSQLData();
+ my ($userid, $tokentype, $eventdata) = $dbh->selectrow_array(
+ q{SELECT userid, tokentype, eventdata FROM tokens
+ WHERE token = ?}, undef, $::token);
my ($old_email, $new_email) = split(/:/,$eventdata);
if($tokentype eq "emailold") {
$vars->{'message'} = "emailold_change_cancelled";
- SendSQL("SELECT login_name FROM profiles WHERE userid = $userid");
- my $actualemail = FetchSQLData();
+ my $actualemail = $dbh->selectrow_array(
+ q{SELECT login_name FROM profiles
+ WHERE userid = ?}, undef, $userid);
# check to see if it has been altered
if($actualemail ne $old_email) {
- my $quotedoldemail = SqlQuote($old_email);
-
$dbh->bz_lock_tables('profiles WRITE');
- SendSQL("UPDATE profiles
- SET login_name = $quotedoldemail
- WHERE userid = $userid");
+ $dbh->do(q{UPDATE profiles
+ SET login_name = ?
+ WHERE userid = ?},
+ undef, ($old_email, $userid));
$dbh->bz_unlock_tables();
# email has changed, so rederive groups
@@ -327,9 +329,9 @@ sub cancelChangeEmail {
Bugzilla::Token::Cancel($::token, $vars->{'message'});
$dbh->bz_lock_tables('tokens WRITE');
- SendSQL("DELETE FROM tokens
- WHERE userid = $userid
- AND tokentype = 'emailold' OR tokentype = 'emailnew'");
+ $dbh->do(q{DELETE FROM tokens WHERE userid = ?
+ AND tokentype = 'emailold' OR tokentype = 'emailnew'},
+ undef, $userid);
$dbh->bz_unlock_tables();
# Return HTTP response headers.