Be more paranoid with param in list context

diff --git a/lib/NDWeb/Controller/Calls.pm b/lib/NDWeb/Controller/Calls.pm
index dac7f32b5a1ec279014b9a3754cd463c5108fd55..48eac7eeb1e1406cadc01214e5f65154b32a31c8 100644 (file)
--- a/lib/NDWeb/Controller/Calls.pm
+++ b/lib/NDWeb/Controller/Calls.pm
@@ -268,13 +268,15 @@ sub postcallupdate : Local {
        if ($c->req->param('cmd') eq 'Submit'){
                my $logmess = '';
                if ($c->req->param('ctick')){
+                       my $tick = $c->req->param('tick');
                        $dbh->do(q{UPDATE calls SET landing_tick = ? WHERE call = ?}
-                               ,undef,$c->req->param('tick'),$call->{call});
+                               ,undef,$tick,$call->{call});
                        $logmess .= "Updated landing tick from [B] $call->{landing_tick} [/B]\n";
                }
                if ($c->req->param('cinfo')){
+                       my $info = $c->req->param('info');
                        $dbh->do(q{UPDATE calls SET info = ? WHERE call = ?}
-                               ,undef,$c->req->param('info'),$call->{call});
+                               ,undef,$info,$call->{call});
                        $logmess .= "Updated info\n";
                }
                if ($c->req->param('ccalc')){
@@ -284,8 +286,9 @@ sub postcallupdate : Local {
                        $logmess .= html_escape('Updated calc to: [URL]'.$calc."[/URL]\n");
                }
                if ($c->req->param('cstatus')){
+                       my $status = $c->req->param('status');
                        $dbh->do(q{UPDATE calls SET status = $1, dc = $2 WHERE call = $3}
-                               ,undef,$c->req->param('status'),$c->user->id,$call->{call});
+                               ,undef,$status,$c->user->id,$call->{call});
                        $logmess .= "Changed status to: ".$c->req->param('status')."\n";
                }
                $log->execute($c->user->id,$call->{ftid},$logmess) if $log;

diff --git a/lib/NDWeb/Controller/Forum.pm b/lib/NDWeb/Controller/Forum.pm
index f06848de982c5e8da0391b5c27ec3bf5ae9733ab..a0cb01ac4369b824446d8f8883d4527c9408396b 100644 (file)
--- a/lib/NDWeb/Controller/Forum.pm
+++ b/lib/NDWeb/Controller/Forum.pm
@@ -329,7 +329,8 @@ sub moveThreads : Local {
        my ( $self, $c, $board ) = @_;
        my $dbh = $c->model;
 
-       $c->forward('findBoard',[$c->req->param('board')]);
+       my $b = $c->req->param('board');
+       $c->forward('findBoard',[$b]);
        my $toboard = $c->stash->{board};
        unless ($toboard->{moderate}){
                $c->acl_access_denied('test',$c->action,'No moderator access for target board.')
@@ -381,10 +382,11 @@ sub insertThread : Private {
        my ( $self, $c, $board ) = @_;
        my $dbh = $c->model;
 
+       my $subject = html_escape($c->req->param('subject'));
        my $insert = $dbh->prepare(q{INSERT INTO forum_threads (ftid,fbid,subject,uid)
                VALUES(DEFAULT,$1,$2,$3) RETURNING (ftid);
                });
-       $insert->execute($board,html_escape($c->req->param('subject')),$c->stash->{UID});
+       $insert->execute($board,$subject,$c->stash->{UID});
        $c->stash(thread => $insert->fetchrow);
        $insert->finish;
 }
@@ -549,21 +551,23 @@ sub findBoard : Private {
 
 sub previewPost : Private {
        my ( $self, $c) = @_;
+       my $message = html_escape $c->req->param('message');
        push @{$c->stash->{posts}}, {
                unread => 1,
                username => 'PREVIEW',
-               message => parseMarkup(html_escape $c->req->param('message')),
+               message => parseMarkup($message),
        };
-       $c->stash(previewMessage => html_escape $c->req->param('message'));
+       $c->stash(previewMessage => $message);
 }
 
 sub insertPost : Private {
        my ( $self, $c, $thread ) = @_;
        my $dbh = $c->model;
 
+       my $message = html_escape($c->req->param('message'));
        my $insert = $dbh->prepare(q{INSERT INTO forum_posts (ftid,message,uid)
                VALUES($1,$2,$3)});
-       $insert->execute($thread,html_escape($c->req->param('message')),$c->stash->{UID});
+       $insert->execute($thread,$message,$c->stash->{UID});
 }
 
 sub listModeratorBoards : Private {

diff --git a/lib/NDWeb/Controller/Members.pm b/lib/NDWeb/Controller/Members.pm
index 33fdc5cb61243710e476d5822e7fb81faf75135d..6afbb6511d058b02ad5511d087b890515388ea9e 100644 (file)
--- a/lib/NDWeb/Controller/Members.pm
+++ b/lib/NDWeb/Controller/Members.pm
@@ -95,8 +95,9 @@ sub posthostupdate : Local {
        my ( $self, $c ) = @_;
        my $dbh = $c->model;
 
+       my $hostname = html_escape $c->req->param('hostname');
        $dbh->do(q{UPDATE users SET hostmask = ? WHERE uid = ?
-               },undef, html_escape $c->req->param('hostname'), $c->user->id);
+               },undef, $hostname, $c->user->id);
 
        $c->res->redirect($c->uri_for(''));
 }
@@ -123,10 +124,11 @@ sub postsmsupdate : Local {
        my $dbh = $c->model;
 
        my $callme = $c->req->param('callme') || 0;
+       my $sms = html_escape $c->req->param('sms');
+       my $smsnote = $c->req->param('smsnote');
        $dbh->do(q{
 UPDATE users SET sms = $1, call_if_needed =  $2, sms_note = $3 WHERE uid = $4
-               },undef, html_escape $c->req->param('sms'),$callme
-               ,$c->req->param('smsnote'), $c->user->id);
+               },undef, $sms, $callme, $smsnote, $c->user->id);
 
        $c->res->redirect($c->uri_for(''));
 }
@@ -160,7 +162,8 @@ sub postowncoords : Local {
                        $c->flash(error => "No planet at coords: $x:$y:$z");
                }
        }else{
-               $c->flash(error => $c->req->param('planet') . " are not valid coords.");
+               my $error = $c->req->param('planet') . " are not valid coords.";
+               $c->flash(error => $error);
        }
 
        $c->res->redirect($c->uri_for('/'.$c->session->{referrer}));
@@ -215,17 +218,19 @@ sub postircrequest : Local {
        my ( $self, $c ) = @_;
        my $dbh = $c->model;
 
+       my $message = $c->req->param('message');
        if ($c->req->param('channel')){
                my $query = $dbh->prepare(q{
 INSERT INTO irc_requests (uid,channel,message) VALUES($1,$2,$3)
                });
-               $query->execute($c->user->id,$c->req->param('channel'),$c->req->param('message'));
+               my $channel = $c->user->id,$c->req->param('channel');
+               $query->execute($channel, $message);
                $c->signal_bots;
 
-               $c->flash(reply => "Msg sent to: ".$c->req->param('channel'));
+               $c->flash(reply => "Msg sent to: ".$channel);
                $c->res->redirect($c->uri_for('ircrequest'));
        }else{
-               $c->stash(ircmessage => $c->req->param('message'));
+               $c->stash(ircmessage => $message);
                $c->go('ircrequest');
        }
 }
@@ -327,7 +332,8 @@ sub postintelmessage : Local {
 SELECT coords(x,y,z), tick() FROM current_planet_stats WHERE pid = $1
                }, undef, $c->user->planet);
 
-       $c->req->param(message => "[i]Posted by $coords at tick $tick [/i]\n\n" . $c->req->param('message'));
+       my $message = "[i]Posted by $coords at tick $tick [/i]\n\n" . $c->req->param('message');
+       $c->req->param(message => $message);
        $c->forward('/forum/insertThread',[12]);
        $c->forward('/forum/insertPost',[$c->stash->{thread}]);
        $c->flash(intelmessage => 1);
@@ -507,7 +513,8 @@ WHERE uid = $1 AND num = $2 AND back > tick()
                my $fullfleet = $dbh->prepare(q{INSERT INTO full_fleets
                                        (fid,uid) VALUES (?,?)});
                $dbh->begin_work;
-               my @missions = parseconfirmations($c->req->param('mission'), $c->stash->{TICK});
+               my $mission = $c->req->param('mission');
+               my @missions = parseconfirmations($mission, $c->stash->{TICK});
                for my $m (@missions){
                        if ($m->{mission} eq 'Return'){
                                $c->forward("addReturnFleet", [$m]);

diff --git a/lib/NDWeb/Controller/Raids.pm b/lib/NDWeb/Controller/Raids.pm
index 1b1335274ee3fd004daf9f236f97aa9b668cf0a1..61956b27226465cfacf6af7858523de40f264f0b 100644 (file)
--- a/lib/NDWeb/Controller/Raids.pm
+++ b/lib/NDWeb/Controller/Raids.pm
@@ -311,10 +311,11 @@ sub postraidupdate : Local {
        my $dbh = $c->model;
 
        $dbh->begin_work;
+       my $tick = $c->req->param('tick');
+       my $waves = $c->req->param('waves');
        $dbh->do(q{UPDATE raids SET message = ?, tick = ?, waves = ? WHERE id = ?}
                ,undef,html_escape $c->req->param('message')
-               ,$c->req->param('tick'),$c->req->param('waves')
-               ,$raid);
+               ,$tick,$waves,$raid);
 
        $c->forward('log',[$raid, 'BC updated raid']);
 
@@ -516,10 +517,12 @@ sub postcreate : Local {
 
        $dbh->begin_work;
        my $query = $dbh->prepare(q{INSERT INTO raids (tick,waves,message) VALUES(?,?,?) RETURNING (id)});
-       $query->execute($c->req->param('tick'),$c->req->param('waves')
-               ,html_escape $c->req->param('message'));
+       my $tick = $c->req->param('tick');
+       my $waves = $c->req->param('waves');
+       my $message = html_escape $c->req->param('message');
+       $query->execute($tick,$waves,$message);
        my $raid = $query->fetchrow_array;
-       $c->forward('log',[$raid,"Created raid landing at tick: ".$c->req->param('tick')]);
+       $c->forward('log',[$raid,"Created raid landing at tick: ".$tick]);
 
        if ($c->req->param('gal') || $c->req->param('target')) {
                my @gals = $c->req->param('gal');
@@ -533,7 +536,8 @@ sub postcreate : Local {
                                )
                        )
                });
-               $addtarget->execute($raid,\@targets,\@gals,$c->req->param('sizelimit'));
+               my $sizelimit = $c->req->param('sizelimit');
+               $addtarget->execute($raid,\@targets,\@gals,$sizelimit);
                $c->forward('log',[$raid,"BC added planets (@targets) and the gals for (@gals)"]);
        }
        $dbh->do(q{INSERT INTO raid_access (raid,gid) VALUES(?,'M')}
@@ -722,9 +726,11 @@ sub postcreateretal : Local {
        my $dbh = $c->model;
 
        $dbh->begin_work;
+       my $tick = $c->req->param('tick');
+       my $waves = $c->req->param('waves');
+       my $message = html_escape $c->req->param('message');
        my $query = $dbh->prepare(q{INSERT INTO raids (tick,waves,message) VALUES(?,?,?) RETURNING (id)});
-       $query->execute($c->req->param('tick'),$c->req->param('waves')
-               ,html_escape $c->req->param('message'));
+       $query->execute($tick, $waves, $message);
        my $raid = $query->fetchrow_array;
        $c->forward('log',[$raid,"Created retal raid landing at tick: ".$c->req->param('tick')]);
 

diff --git a/lib/NDWeb/Controller/Root.pm b/lib/NDWeb/Controller/Root.pm
index 787850019a9929d1fb17a2d3fe9d4088ce5dda3e..f1b020a0779eada5a0f203add13251ec975c5bf4 100644 (file)
--- a/lib/NDWeb/Controller/Root.pm
+++ b/lib/NDWeb/Controller/Root.pm
@@ -105,10 +105,14 @@ UPDATE sms SET status = $2, cost = $3
 WHERE msgid = $1
                });
 
-       $sms->execute($c->req->param('apiMsgId')
-               ,$clickatellstatus{$c->req->param('status')}
-               ,$c->req->param('charge')
-               ,$c->req->param('timestamp'));
+       my $apiMsgId = $c->req->param('apiMsgId');
+       my $status = $c->req->param('status');
+       my $charge = $c->req->param('charge');
+       my $timestamp = $c->req->param('timestamp');
+       $sms->execute($apiMsgId
+               ,$clickatellstatus{$status}
+               ,$charge
+               ,$timestamp);
 
 }
 

diff --git a/lib/NDWeb/Controller/Settings.pm b/lib/NDWeb/Controller/Settings.pm
index 16358444618efe089b44f12be74ee43e7ce8edbf..03dc7824687a9bd21282ceadc38b9fd233e427c9 100644 (file)
--- a/lib/NDWeb/Controller/Settings.pm
+++ b/lib/NDWeb/Controller/Settings.pm
@@ -68,7 +68,8 @@ sub changeStylesheet : Local {
        my $query = $dbh->prepare(q{UPDATE users SET css = NULLIF($2,'Default')
                WHERE uid = $1
        });
-       $query->execute($c->user->id,html_escape $c->req->param('stylesheet'));
+       my $css = html_escape $c->req->param('stylesheet');
+       $query->execute($c->user->id,$css);
 
        $c->res->redirect($c->uri_for(''));
 }
@@ -81,7 +82,8 @@ sub changeBirthday : Local {
                WHERE uid = $1
                });
        eval{
-               $query->execute($c->user->id,html_escape $c->req->param('birthday'));
+               my $birthday = html_escape $c->req->param('birthday');
+               $query->execute($c->user->id,$birthday);
        };
        if ($@){
                if ($@ =~ /invalid input syntax for type date/){
@@ -113,13 +115,15 @@ sub changePassword : Local {
        my ( $self, $c ) = @_;
        my $dbh = $c->model;
 
-       if (length $c->req->param('pass') < 4) {
+       my $pass = $c->req->param('pass');
+       if (length $pass < 4) {
                $c->flash(error => "Your password need to be at least 4 characters");
        } else {
                my $query = $dbh->prepare(q{UPDATE users SET password = $1
                        WHERE password = crypt($2,password) AND uid = $3
                });
-               $query->execute($c->req->param('pass'),$c->req->param('oldpass'),$c->user->id);
+               my $oldpass = $c->req->param('oldpass');
+               $query->execute($pass,$oldpass,$c->user->id);
 
                $c->flash(error => "Old password was invalid") unless $query->rows;
        }
@@ -133,7 +137,7 @@ sub changeEmail : Local {
 
        my $email = $c->req->param('email');
 
-       if ($email =~ /^s?$/) {
+       if ($email =~ /^\s*$/) {
                my $update = $dbh->prepare(q{
 UPDATE users SET email = NULL WHERE uid = $1;
                        });

diff --git a/lib/NDWeb/Controller/Users.pm b/lib/NDWeb/Controller/Users.pm
index 117f1bde98a1ca785549c5bf49005db0411db6e2..13b79c74e0c9e257b525efe264f1fb733f661956 100644 (file)
--- a/lib/NDWeb/Controller/Users.pm
+++ b/lib/NDWeb/Controller/Users.pm
@@ -159,30 +159,33 @@ sub postmail : Local {
        my ( $self, $c ) = @_;
        my $dbh = $c->model;
 
+       my $group = $c->req->param('group');
        my $emails = $dbh->prepare(q{SELECT email FROM users
                WHERE uid IN (SELECT uid FROM groupmembers WHERE gid = $1)
                        AND email is not null});
-       $emails->execute($c->req->param('group'));
+       $emails->execute($group);
        my @emails;
        while (my $email = $emails->fetchrow_hashref){
                push @emails,$email->{email};
        }
 
+       my $subject = $c->req->param('subject');
+       my $message = $c->req->param('message');
        my %mail = (
                smtp => 'localhost',
                BCC      => (join ',',@emails),
                From    => 'NewDawn Command <nd@ruin.nu>',
                'Content-type' => 'text/plain; charset="UTF-8"',
-               Subject => $c->req->param('subject'),
-               Message => $c->req->param('message'),
+               Subject => $subject,
+               Message => $message,
        );
 
        if (sendmail %mail) {
                $c->flash(ok => \@emails);
        }else {
                $c->flash(error => $Mail::Sendmail::error);
-               $c->flash(subject => $c->req->param('subject'));
-               $c->flash(message => $c->req->param('message'));
+               $c->flash(subject => $subject);
+               $c->flash(message => $message);
        }
 
        $c->res->redirect($c->uri_for('mail'));
@@ -226,11 +229,12 @@ sub postsms : Local {
 
        $c->req->parameters->{uid} = [$c->req->parameters->{uid}]
                unless ref $c->req->parameters->{uid} eq 'ARRAY';
+       my $message = $c->req->param('message');
 
        my $query = $dbh->prepare(q{INSERT INTO sms (uid,message,number)
                (SELECT $1,$2, trim(leading '+' FROM sms) FROM users u WHERE uid = ANY ($3) AND sms SIMILAR TO '\+\d+' )});
 
-       $query->execute($c->user->id,$c->req->param('message'),$c->req->parameters->{uid});
+       $query->execute($c->user->id,$message,$c->req->parameters->{uid});
 
        $c->res->redirect($c->uri_for('sms'));
 }

diff --git a/lib/NDWeb/Controller/Wiki.pm b/lib/NDWeb/Controller/Wiki.pm
index 2e54d48cc602deb7ff34b71fc1f20541a5e4aed9..60f210d266b80e9e3282dd9b91c61982c085272e 100644 (file)
--- a/lib/NDWeb/Controller/Wiki.pm
+++ b/lib/NDWeb/Controller/Wiki.pm
@@ -103,6 +103,9 @@ sub postedit : Local {
        my ( $self, $c, $p ) = @_;
        my $dbh = $c->model;
 
+       my $ns = $c->req->param('namespace');
+       my $name = $c->req->param('name');
+       my $text = $c->req->param('text');
        eval {
                $dbh->begin_work;
 
@@ -114,10 +117,10 @@ sub postedit : Local {
                        my $namespace = $dbh->selectrow_array(q{SELECT namespace
                                FROM wiki_namespace_access
                                WHERE namespace = $1 AND post AND gid IN (SELECT groups($2))
-                       },undef,$c->req->param('namespace'), $c->stash->{UID});
+                       },undef,$ns, $c->stash->{UID});
 
                        my $query = $dbh->prepare(q{INSERT INTO wiki_pages (namespace,name) VALUES($1,$2) RETURNING wpid});
-                       $query->execute($namespace,$c->req->param('name'));
+                       $query->execute($namespace,$name);
                        $wpid = $query->fetchrow;
                }
                $c->forward('findPage',[$wpid]);
@@ -129,8 +132,10 @@ sub postedit : Local {
                        RETURNING wprev
                        });
                $c->req->params->{parent}||= undef;
-               $query->execute($wpid,$c->req->param('parent'),$c->req->param('text')
-                       ,$c->req->param('comment'),$c->stash->{UID});
+               my $parent = $c->req->param('parent');
+               my $comment = $c->req->param('comment');
+               $query->execute($wpid,$parent,$text
+                       ,$comment,$c->stash->{UID});
                my $rev = $query->fetchrow;
                $dbh->do(q{UPDATE wiki_pages SET wprev = $1 WHERE wpid = $2}
                        ,undef,$rev,$wpid);
@@ -154,10 +159,10 @@ sub postedit : Local {
        $c->forward('findPage') if $p;
        $c->forward('findNamespaces');
 
-       $c->stash->{page}->{namespace} = $c->req->param('namespace');
-       $c->stash->{page}->{name} = $c->req->param('name');
+       $c->stash->{page}->{namespace} = $ns;
+       $c->stash->{page}->{name} = $name;
 
-       $c->stash(text => $c->req->param('text'));
+       $c->stash(text => $text);
        $c->stash(template => 'wiki/edit.tt2');
 }
 
@@ -181,7 +186,8 @@ sub search : Local {
                        ORDER BY rank DESC
                });
                eval {
-                       $posts->execute($c->stash->{UID},$c->req->param('search'));
+                       my $search = $c->req->param('search');
+                       $posts->execute($c->stash->{UID},$search);
                        my @posts;
                        while (my $post = $posts->fetchrow_hashref){
                                push @posts,$post;