Simplified patronLogin; eliminated SQL vulnerability.

lahmann · Apr 5, 2016 · c696cea · c696cea
1 parent ba29923
commit c696cea
Showing 1 changed file with 16 additions and 20 deletions.
diff --git a/module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php b/module/VuFind/src/VuFind/ILS/Driver/NewGenLib.php
@@ -440,39 +440,35 @@ public function getStatuses($StatusResult)
      */
     public function patronLogin($username, $password)
     {
-        $patron = [];
-        $PatId = $username;
-        $psswrd = $password;
         //SQL Statement
         $sql = "select p.patron_id as patron_id, p.library_id as library_id, " .
             "p.fname as fname, p.lname as lname, p.user_password as " .
             "user_password, p.membership_start_date as membership_start_date, " .
             "p.membership_expiry_date as membership_expiry_date, p.email as " .
-            "email from patron p where p.patron_id='" . $PatId .
-            "' and p.user_password='" . $psswrd . "' and p.membership_start_date " .
+            "email from patron p where p.patron_id=:patronId" .
+            "' and p.user_password=:password and p.membership_start_date " .
             "<= current_date and p.membership_expiry_date > current_date";
 
         try {
             $sqlStmt = $this->db->prepare($sql);
-            $sqlStmt->execute();
+            $sqlStmt->execute([':patronId' => $username, ':password' => $password]);
         } catch (PDOException $e) {
             throw new ILSException($e->getMessage());
         }
-        while ($row = $sqlStmt->fetch(PDO::FETCH_ASSOC)) {
-            if ($PatId != $row['patron_id'] || $psswrd != $row['user_password']) {
-                return null;
-            } else {
-                $patron = ["id" => $PatId,
-                    "firstname" => $row['fname'],
-                    'lastname' => $row['lname'],
-                    'cat_username' => $PatId,
-                    'cat_password' => $psswrd,
-                    'email' => $row['email'],
-                    'major' => null,
-                    'college' => null];
-            }
+        $row = $sqlStmt->fetch(PDO::FETCH_ASSOC);
+        if (!$row) {
+            return null;
         }
-        return $patron;
+        return [
+            "id" => $row['patron_id'],
+            "firstname" => $row['fname'],
+            'lastname' => $row['lname'],
+            'cat_username' => $username,
+            'cat_password' => $password,
+            'email' => $row['email'],
+            'major' => null,
+            'college' => null
+        ];
     }
 
     /**