Skip to content

Commit 7602d9f

Browse files
Silic0nS0ldierSilic0nS0ldier
committed
Implemented SQL injection safeguards.
Fix for sign-up event. Removed unneeded "transaction".
1 parent 20d4ec6 commit 7602d9f

1 file changed

Lines changed: 15 additions & 9 deletions

File tree

userfrosting/controllers/InstallController.php

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -230,7 +230,7 @@ public function setupMasterAccount(){
230230

231231
// Create the master user
232232
$user = new User($data);
233-
233+
234234
$user->id = $this->_app->config('user_id_master');
235235

236236
// Add user to default groups, including default primary group
@@ -241,18 +241,24 @@ public function setupMasterAccount(){
241241
$user->addGroup($group_id);
242242
}
243243

244-
// Add sign-up event
245-
$user->newEventSignUp();
246-
247244
// If using SQL Server or Azure SQL Server, use this alternative insert method.
248245
if (\Illuminate\Database\Capsule\Manager::connection()->getPdo()->getAttribute(\PDO::ATTR_DRIVER_NAME) == "sqlsrv") {
249-
\Illuminate\Database\Capsule\Manager::transaction(function() use ($user) {
250-
// Manually build insert statement to overcome session IDENTITY_INSERT restriction.
251-
$insert = "INSERT INTO ".$this->_app->config('db')['db_prefix']."user (user_name, display_name, email, password, flag_verified, locale, primary_group_id, title, id, created_at, updated_at) VALUES ('".$user->user_name."', '".$user->display_name."', '".$user->email."', '".$user->password."', ".$user->flag_verified.", '".$user->locale."', ".$user->primary_group_id.", '".$user->title."', ".$user->id.", '".date("Y-m-d h:i:s")."', '".date("Y-m-d h:i:s")."');";
252-
\Illuminate\Database\Capsule\Manager::statement("SET IDENTITY_INSERT ".$this->_app->config('db')['db_prefix']."user ON; ".$insert);
253-
});
246+
// Manually build insert statement to overcome session IDENTITY_INSERT restriction.
247+
$tableName = $user->getTable();
248+
$values = $user->export();
249+
$values['created_at'] = date("Y-m-d h:i:s");
250+
$values['updated_at'] = date("Y-m-d h:i:s");
251+
\Illuminate\Database\Capsule\Manager::statement("SET IDENTITY_INSERT [$tableName] ON; INSERT INTO [$tableName] (id, user_name, display_name, email, password, flag_verified, locale, primary_group_id, title, created_at, updated_at) VALUES (:id, :user_name, :display_name, :email, :password, :flag_verified, :locale, :primary_group_id, :title, :created_at, :updated_at);", $values);
252+
253+
// Add sign-up event
254+
$user = User::where('id', 1)->first();
255+
$user->newEventSignUp();
256+
$user->save();
254257
}
255258
else {
259+
// Add sign-up event
260+
$user->newEventSignUp();
261+
256262
// Store new user to database
257263
$user->save();
258264
}

0 commit comments

Comments
 (0)