mirrors/sapphire
1
Fork 0
mirror of https://github.com/SapphireServer/Sapphire.git synced 2025-05-23 18:17:46 +00:00
Code Activity

Format

Browse source
This commit is contained in:
Minho Kang 2017-09-01 18:42:36 +09:00
parent f3acd9386e
commit fb27cbc7ae
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
src/servers/Server_REST/SapphireAPI.cpp
View file

@ -29,6 +29,7 @@ Core::Network::SapphireAPI::~SapphireAPI()
bool Core::Network::SapphireAPI::login( const std::string& username, const std::string& pass, std::string& sId ) bool Core::Network::SapphireAPI::login( const std::string& username, const std::string& pass, std::string& sId )
{ {
// FIXME: username is vuln to SQLi
std::string query = "SELECT account_id, account_pass FROM accounts WHERE account_name = '" + username + "';"; std::string query = "SELECT account_id, account_pass FROM accounts WHERE account_name = '" + username + "';";
// check if a user with that name / password exists // check if a user with that name / password exists
@ -39,13 +40,12 @@ bool Core::Network::SapphireAPI::login( const std::string& username, const std::
// id is assumed to be verified with SQL // id is assumed to be verified with SQL
// check password here // check password here
auto const accountPass = pQR->fetch()[1].getString(); auto accountPass = pQR->fetch()[1].getString();
if ( crypto_pwhash_argon2i_str_verify( accountPass, pass.c_str(), pass.length()) != 0 ) if ( crypto_pwhash_argon2i_str_verify( accountPass, pass.c_str(), pass.length() ) != 0 )
{ {
return false; return false;
} }
// user found, proceed // user found, proceed
int32_t accountId = pQR->fetch()[0].getUInt32(); int32_t accountId = pQR->fetch()[0].getUInt32();
@ -109,11 +109,11 @@ bool Core::Network::SapphireAPI::createAccount( const std::string& username, con
pQR = g_database.query( "SELECT MAX(account_id) FROM accounts;" ); pQR = g_database.query( "SELECT MAX(account_id) FROM accounts;" );
int32_t accountId = pQR->fetch()[0].getUInt32() + 1; int32_t accountId = pQR->fetch()[0].getUInt32() + 1;
// Hash password
char hash[crypto_pwhash_STRBYTES]; char hash[crypto_pwhash_STRBYTES];
if (crypto_pwhash_argon2i_str(hash, pass.c_str(), pass.length(), crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE) != 0) if ( crypto_pwhash_argon2i_str( hash, pass.c_str(), pass.length(), crypto_pwhash_OPSLIMIT_INTERACTIVE, crypto_pwhash_MEMLIMIT_INTERACTIVE ) != 0 )
{ {
// Failed to allocate memory // Failed to allocate a memory
return false; return false;
} }