From 6386593e02e404f8591e0ebf51895cb12f5c5bef Mon Sep 17 00:00:00 2001
From: Ere Maijala <ere.maijala@helsinki.fi>
Date: Tue, 5 Apr 2016 10:48:49 -0400
Subject: [PATCH] Simplified patronLogin; eliminated SQL vulnerability.

---
 .../src/VuFind/ILS/Driver/NewGenLib.php       | 36 +++++++++----------
 1 file changed, 16 insertions(+), 20 deletions(-)

diff --git a/module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php b/module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php
index 9aa050a0255..35ec430300d 100644
--- a/module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php
+++ b/module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php
@@ -440,39 +440,35 @@ class NewGenLib extends AbstractBase
      */
     public function patronLogin($username, $password)
     {
-        $patron = [];
-        $PatId = $username;
-        $psswrd = $password;
         //SQL Statement
         $sql = "select p.patron_id as patron_id, p.library_id as library_id, " .
             "p.fname as fname, p.lname as lname, p.user_password as " .
             "user_password, p.membership_start_date as membership_start_date, " .
             "p.membership_expiry_date as membership_expiry_date, p.email as " .
-            "email from patron p where p.patron_id='" . $PatId .
-            "' and p.user_password='" . $psswrd . "' and p.membership_start_date " .
+            "email from patron p where p.patron_id=:patronId" .
+            "' and p.user_password=:password and p.membership_start_date " .
             "<= current_date and p.membership_expiry_date > current_date";
 
         try {
             $sqlStmt = $this->db->prepare($sql);
-            $sqlStmt->execute();
+            $sqlStmt->execute([':patronId' => $username, ':password' => $password]);
         } catch (PDOException $e) {
             throw new ILSException($e->getMessage());
         }
-        while ($row = $sqlStmt->fetch(PDO::FETCH_ASSOC)) {
-            if ($PatId != $row['patron_id'] || $psswrd != $row['user_password']) {
-                return null;
-            } else {
-                $patron = ["id" => $PatId,
-                    "firstname" => $row['fname'],
-                    'lastname' => $row['lname'],
-                    'cat_username' => $PatId,
-                    'cat_password' => $psswrd,
-                    'email' => $row['email'],
-                    'major' => null,
-                    'college' => null];
-            }
+        $row = $sqlStmt->fetch(PDO::FETCH_ASSOC);
+        if (!$row) {
+            return null;
         }
-        return $patron;
+        return [
+            "id" => $row['patron_id'],
+            "firstname" => $row['fname'],
+            'lastname' => $row['lname'],
+            'cat_username' => $username,
+            'cat_password' => $password,
+            'email' => $row['email'],
+            'major' => null,
+            'college' => null
+        ];
     }
 
     /**
-- 
GitLab