The Gitlab instance will be restarted on Monday April 28th at 2AM. There will be a short interruption of service.

Skip to content
Snippets Groups Projects
Commit 6386593e authored by Ere Maijala's avatar Ere Maijala Committed by Demian Katz
Browse files

Simplified patronLogin; eliminated SQL vulnerability.

parent f81d8f76
No related merge requests found
Hide whitespace changes
Inline Side-by-side
module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php
+ 16
20
View file @ 6386593e
...@@ -440,39 +440,35 @@ class NewGenLib extends AbstractBase ...@@ -440,39 +440,35 @@ class NewGenLib extends AbstractBase
*/ */
public function patronLogin($username, $password) public function patronLogin($username, $password)
{ {
$patron = [];
$PatId = $username;
$psswrd = $password;
//SQL Statement //SQL Statement
$sql = "select p.patron_id as patron_id, p.library_id as library_id, " . $sql = "select p.patron_id as patron_id, p.library_id as library_id, " .
"p.fname as fname, p.lname as lname, p.user_password as " . "p.fname as fname, p.lname as lname, p.user_password as " .
"user_password, p.membership_start_date as membership_start_date, " . "user_password, p.membership_start_date as membership_start_date, " .
"p.membership_expiry_date as membership_expiry_date, p.email as " . "p.membership_expiry_date as membership_expiry_date, p.email as " .
"email from patron p where p.patron_id='" . $PatId . "email from patron p where p.patron_id=:patronId" .
"' and p.user_password='" . $psswrd . "' and p.membership_start_date " . "' and p.user_password=:password and p.membership_start_date " .
"<= current_date and p.membership_expiry_date > current_date"; "<= current_date and p.membership_expiry_date > current_date";
try { try {
$sqlStmt = $this->db->prepare($sql); $sqlStmt = $this->db->prepare($sql);
$sqlStmt->execute(); $sqlStmt->execute([':patronId' => $username, ':password' => $password]);
} catch (PDOException $e) { } catch (PDOException $e) {
throw new ILSException($e->getMessage()); throw new ILSException($e->getMessage());
} }
while ($row = $sqlStmt->fetch(PDO::FETCH_ASSOC)) { $row = $sqlStmt->fetch(PDO::FETCH_ASSOC);
if ($PatId != $row['patron_id'] || $psswrd != $row['user_password']) { if (!$row) {
return null; return null;
} else {
$patron = ["id" => $PatId,
"firstname" => $row['fname'],
'lastname' => $row['lname'],
'cat_username' => $PatId,
'cat_password' => $psswrd,
'email' => $row['email'],
'major' => null,
'college' => null];
}
} }
return $patron; return [
"id" => $row['patron_id'],
"firstname" => $row['fname'],
'lastname' => $row['lname'],
'cat_username' => $username,
'cat_password' => $password,
'email' => $row['email'],
'major' => null,
'college' => null
];
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment