From ba834dc44791eb3b1044798c7e83c9c398fc9789 Mon Sep 17 00:00:00 2001 From: dakkar Date: Fri, 11 Dec 2015 11:59:32 +0000 Subject: more placeholders --- yubiserve.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/yubiserve.py b/yubiserve.py index 9ff3b92..43f0d29 100755 --- a/yubiserve.py +++ b/yubiserve.py @@ -125,7 +125,7 @@ class OTPValidation(): self.userid = match.group(1) self.token = self.modhex2hex(match.group(2)) cur = self.con.cursor() - cur.execute('SELECT aeskey, internalname FROM yubikeys WHERE publicname = "' + self.userid + '" AND active = "1"') + cur.execute('SELECT aeskey, internalname FROM yubikeys WHERE publicname = ? AND active = "1"',(self.userid,)) rows = cur.fetchall() if (len(rows) != 1): self.validationResult = self.status['BAD_OTP'] @@ -141,7 +141,7 @@ class OTPValidation(): return self.validationResult self.internalcounter = self.hexdec(self.plaintext[14:16] + self.plaintext[12:14] + self.plaintext[22:24]) self.timestamp = self.hexdec(self.plaintext[20:22] + self.plaintext[18:20] + self.plaintext[16:18]) - cur.execute('SELECT counter, time FROM yubikeys WHERE publicname = "' + self.userid + '" AND active = "1"') + cur.execute('SELECT counter, time FROM yubikeys WHERE publicname = ? AND active = "1"',(self.userid,)) rows = cur.fetchall() if (len(rows) != 1): self.validationResult = self.status['BAD_OTP'] @@ -157,7 +157,7 @@ class OTPValidation(): self.validationResult = self.status['BAD_OTP'] return self.validationResult self.validationResult = self.status['OK'] - cur.execute('UPDATE yubikeys SET counter = ' + str(self.internalcounter) + ', time = ' + str(self.timestamp) + ' WHERE publicname = "' + self.userid + '"') + cur.execute('UPDATE yubikeys SET counter = ?, time = ? WHERE publicname = ?', (str(self.internalcounter), str(self.timestamp), self.userid)) self.con.commit() return self.validationResult @@ -229,7 +229,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler): if (getData and getData['id'] != None): apiID = re.escape(getData['id']) cur = self.con.cursor() - cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'") + cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,)) rows = cur.fetchall() if len(rows) != 0: api_key = str(rows[0][0]) @@ -255,7 +255,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler): if (getData['id'] != None): apiID = re.escape(getData['id']) cur = self.con.cursor() - cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'") + cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,)) rows = cur.fetchall() if len(rows) != 0: api_key = str(rows[0][0]) @@ -293,7 +293,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler): if (getData['id'] != None): apiID = re.escape(getData['id']) cur = self.con.cursor() - cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'") + cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,)) rows = cur.fetchall() if len(rows) != 0: api_key = str(rows[0][0]) @@ -315,7 +315,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler): if (getData['id'] != None): apiID = re.escape(getData['id']) cur = self.con.cursor() - cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'") + cur.execute('SELECT secret from apikeys WHERE id = ?', (apiID,)) rows = cur.fetchall() if len(rows) != 0: api_key = str(rows[0][0]) @@ -336,7 +336,7 @@ class YubiServeHandler (BaseHTTPServer.BaseHTTPRequestHandler): if (getData['id'] != None): apiID = re.escape(getData['id']) cur = self.con.cursor() - cur.execute("SELECT secret from apikeys WHERE id = '" + apiID + "'") + cur.execute('SELECT secret from apikeys WHERE id = ?',(apiID,)) rows = cur.fetchall() if len(rows) != 0: api_key = str(rows[0][0]) -- cgit v1.2.3