more placeholders

author: dakkar <dakkar@thenautilus.net> 2015-12-11 11:59:32 +0000
committer: dakkar <dakkar@thenautilus.net> 2015-12-11 12:03:52 +0000
commit: ba834dc44791eb3b1044798c7e83c9c398fc9789 (patch)
tree: 8176e2b49453ac58e13739d88006553d1b643a47
parent: listen only on localhost (diff)
download: yubico-yubiserve-ba834dc44791eb3b1044798c7e83c9c398fc9789.tar.gz
yubico-yubiserve-ba834dc44791eb3b1044798c7e83c9c398fc9789.tar.bz2
yubico-yubiserve-ba834dc44791eb3b1044798c7e83c9c398fc9789.zip
1 files changed, 8 insertions, 8 deletions
diff --git a/yubiserve.py b/yubiserve.py
index 9ff3b92..43f0d29 100755
--- a/yubiserve.py
+++ b/yubiserve.py
@@ -125,7 +125,7 @@ class OTPValidation():
                 self.userid = match.group(1)
                 self.token = self.modhex2hex(match.group(2))
                 cur = self.con.cursor()
-                cur.execute('SELECT aeskey, internalname FROM yubikeys WHERE publicname = "' + self.userid + '" AND active = "1"')
+                cur.execute('SELECT aeskey, internalname FROM yubikeys WHERE publicname = ? AND active = "1"',(self.userid,))
                 rows = cur.fetchall()
                 if (len(rows) != 1):
                     self.validationResult = self.status['BAD_OTP']
@@ -141,7 +141,7 @@ class OTPValidation():
                     return self.validationResult
                 self.internalcounter = self.hexdec(self.plaintext[14:16] + self.plaintext[12:14] + self.plaintext[22:24])
                 self.timestamp = self.hexdec(self.plaintext[20:22] + self.plaintext[18:20] + self.plaintext[16:18])
-                cur.execute('SELECT counter, time FROM yubikeys WHERE publicname = "' + self.userid + '" AND active = "1"')
+                cur.execute('SELECT counter, time FROM yubikeys WHERE publicname = ? AND active = "1"',(self.userid,))
                 rows = cur.fetchall()
                 if (len(rows) != 1):
                     self.validationResult = self.status['BAD_OTP']
@@ -157,7 +157,7 @@ class OTPValidation():
             self.validationResult = self.status['BAD_OTP']
             return self.validationResult
         self.validationResult = self.status['OK']
-        cur.execute('UPDATE yubikeys SET counter = ' + str(self.internalcounter) + ', time = ' + str(self.timestamp) + ' WHERE publicname = "' + self.userid + '"')
+        cur.execute('UPDATE yubikeys SET counter = ?, time = ? WHERE publicname = ?', (str(self.internalcounter), str(self.timestamp), self.userid))
         self.con.commit()
         return self.validationResult
 
@@ -229,7 +229,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler):
                         if (getData and getData['id'] != None):
                             apiID = re.escape(getData['id'])
                             cur = self.con.cursor()
-                            cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
+                            cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,))
                             rows = cur.fetchall()
                             if len(rows) != 0:
                                 api_key = str(rows[0][0])
@@ -255,7 +255,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler):
                 if (getData['id'] != None):
                     apiID = re.escape(getData['id'])
                     cur = self.con.cursor()
-                    cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
+                    cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,))
 		    rows = cur.fetchall()
                     if len(rows) != 0:
                         api_key = str(rows[0][0])
@@ -293,7 +293,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler):
                         if (getData['id'] != None):
                             apiID = re.escape(getData['id'])
                             cur = self.con.cursor()
-                            cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
+                            cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,))
                             rows = cur.fetchall()
                             if len(rows) != 0:
                                 api_key = str(rows[0][0])
@@ -315,7 +315,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler):
                         if (getData['id'] != None):
                             apiID = re.escape(getData['id'])
                             cur = self.con.cursor()
-                            cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
+                            cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,))
                             rows = cur.fetchall()
                             if len(rows) != 0:
                                 api_key = str(rows[0][0])
@@ -336,7 +336,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler):
                 if (getData['id'] != None):
                     apiID = re.escape(getData['id'])
                     cur = self.con.cursor()
-                    cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'")
+                    cur.execute('SELECT secret from apikeys WHERE id = ?',(apiID,))
                     rows = cur.fetchall()
                     if len(rows) != 0:
                         api_key = str(rows[0][0])
author	dakkar <dakkar@thenautilus.net>	2015-12-11 11:59:32 +0000
committer	dakkar <dakkar@thenautilus.net>	2015-12-11 12:03:52 +0000
commit	ba834dc44791eb3b1044798c7e83c9c398fc9789 (patch)
tree	8176e2b49453ac58e13739d88006553d1b643a47
parent	listen only on localhost (diff)
download	yubico-yubiserve-ba834dc44791eb3b1044798c7e83c9c398fc9789.tar.gz yubico-yubiserve-ba834dc44791eb3b1044798c7e83c9c398fc9789.tar.bz2 yubico-yubiserve-ba834dc44791eb3b1044798c7e83c9c398fc9789.zip