Changeset 448 for branches/htmlform/cgi-bin/IPDB.pm

Timestamp:

07/27/10 13:56:39 (14 years ago)

Author:

Kris Deugau

Message:

/branches/htmlform

Escape forwarded form data with $q->escapeHTML on most forms in
main.cgi (see #15)
Fix up most subs in IPDB.pm that deal with form data that needs
escaping (see #34)

File:

• branches/htmlform/cgi-bin/IPDB.pm (modified) (4 diffs)

branches/htmlform/cgi-bin/IPDB.pm

@@ -347 +347 @@
       $cidr = $data[0];  # $cidr is already declared when we get here!
 
-      $sth = $dbh->prepare("update poolips set custid='$custid',".
-        "city='$city',available='n',description='$desc',notes='$notes',".
-        "circuitid='$circid',privdata='$privdata'".
-        " where ip='$cidr'");
-      $sth->execute;
+      $sth = $dbh->prepare("update poolips set custid=?,city=?,".
+        "available='n',description=?,notes=?,circuitid=?,privdata=?".
+        " where ip=?");
+      $sth->execute($custid, $city, $desc, $notes, $circid, $privdata, "$cidr");
 # node hack
       if ($nodeid && $nodeid ne '') {
@@ -399 +398 @@
           $sth = $dbh->prepare("insert into allocations".
                 " (cidr,custid,type,city,description,notes,maskbits,circuitid,privdata)".
-                " values ('$cidr','$custid','$type','$city','$desc','$notes',".
-                $cidr->masklen.",'$circid','$privdata')");
-          $sth->execute;
+                " values (?,?,?,?,?,?,?,?,?)");
+          $sth->execute("$cidr", $custid, $type, $city, $desc, $notes, $cidr->masklen, $circid, $privdata);
 
           # And initialize the pool, if necessary
@@ -509 +507 @@
           $sth = $dbh->prepare("insert into allocations (cidr,custid,type,city,".
                 "description,notes,maskbits,circuitid,privdata)".
-                " values ('$cidr','$custid','$type','$city','$desc','$notes',".
-                $cidr->masklen.",'$circid','$privdata')");
-          $sth->execute;
+                " values (?,?,?,?,?,?,?,?,?)");
+          $sth->execute("$cidr", $custid, $type, $city, $desc, $notes, $cidr->masklen, $circid, $privdata);
 
           # And initialize the pool, if necessary
@@ -633 +630 @@
     eval {
       $msg = "Unable to deallocate $disp_alloctypes{$type} $cidr";
-      $sth = $dbh->prepare("update poolips set custid='$defcustid',available='y',".
-        "city=(select city from allocations where cidr >>= '$cidr'".
+      $sth = $dbh->prepare("update poolips set custid=?,available='y',".
+        "city=(select city from allocations where cidr >>= ?".
         " order by masklen(cidr) desc limit 1),".
-        "description='',notes='',circuitid='' where ip='$cidr'");
-      $sth->execute;
+        "description='',notes='',circuitid='' where ip=?");
+      $sth->execute($defcustid, "$cidr", "$cidr");
       $dbh->commit;
     };