cap user inputs
This commit is contained in:
parent
64dfe93464
commit
ae3b5a18d8
|
@ -5,8 +5,8 @@ CREATE TABLE messages (
|
|||
from_account_id INTEGER NOT NULL,
|
||||
to_account_id INTEGER NOT NULL,
|
||||
|
||||
subject TEXT NOT NULL,
|
||||
body TEXT NOT NULL,
|
||||
subject VARCHAR(35) NOT NULL,
|
||||
body VARCHAR(200) NOT NULL,
|
||||
|
||||
created_at TEXT NOT NULL DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
|
||||
read_at TEXT
|
||||
|
|
|
@ -4,9 +4,9 @@ CREATE TABLE levels (
|
|||
created_at TEXT NOT NULL DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
|
||||
modified_at TEXT NOT NULL DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
|
||||
|
||||
name TEXT NOT NULL,
|
||||
user_id INTEGER NOT NULL references users(id),
|
||||
description TEXT NOT NULL DEFAULT "",
|
||||
name VARCHAR(20) NOT NULL,
|
||||
user_id INTEGER NOT NULL references users(id),
|
||||
description VARCHAR(140) NOT NULL DEFAULT "",
|
||||
original INTEGER,
|
||||
|
||||
game_version INTEGER NOT NULL,
|
||||
|
|
|
@ -2,10 +2,10 @@
|
|||
CREATE TABLE accounts (
|
||||
id SERIAL PRIMARY KEY,
|
||||
|
||||
username TEXT NOT NULL COLLATE NOCASE UNIQUE,
|
||||
password TEXT NOT NULL, -- bcrypt hashed
|
||||
gjp2 TEXT NOT NULL,
|
||||
email TEXT NOT NULL,
|
||||
username VARCHAR(16) NOT NULL COLLATE NOCASE UNIQUE,
|
||||
password TEXT NOT NULL, -- bcrypt hashed
|
||||
gjp2 TEXT NOT NULL,
|
||||
email VARCHAR(254) NOT NULL,
|
||||
|
||||
-- todo: swap to proper rank system
|
||||
is_admin INTEGER NOT NULL DEFAULT 0,
|
||||
|
|
|
@ -2,8 +2,8 @@
|
|||
CREATE TABLE account_comments (
|
||||
id SERIAL PRIMARY KEY,
|
||||
|
||||
account_id INTEGER NOT NULL references users(id),
|
||||
comment TEXT NOT NULL,
|
||||
account_id INTEGER NOT NULL references users(id),
|
||||
comment VARCHAR(140) NOT NULL,
|
||||
|
||||
created_at TEXT NOT NULL DEFAULT (STRFTIME('%Y-%m-%d %H:%M:%f', 'now')),
|
||||
likes INTEGER NOT NULL DEFAULT 0
|
||||
|
|
|
@ -26,6 +26,12 @@ CrystalGauntlet.endpoints["/accounts/registerGJAccount.php"] = ->(context : HTTP
|
|||
if username.size < 3
|
||||
return "-9"
|
||||
end
|
||||
if username.size > 16
|
||||
return "-4"
|
||||
end
|
||||
if email.size > 254
|
||||
return "-6"
|
||||
end
|
||||
|
||||
# caps checks aren't required because `username` is already COLLATE NOCASE in the db
|
||||
username_exists = DATABASE.scalar "select count(*) from accounts where username = ?", username
|
||||
|
|
|
@ -11,6 +11,7 @@ CrystalGauntlet.endpoints["/updateGJAccSettings20.php"] = ->(context : HTTP::Ser
|
|||
return "-1"
|
||||
end
|
||||
|
||||
# todo: figure out max lengths and cap
|
||||
DATABASE.exec("update accounts set messages_enabled=?, friend_requests_enabled=?, comments_enabled=?, youtube_url=?, twitter_url=?, twitch_url=? where id=?", params["mS"].to_i32, params["frS"].to_i32, params["cS"].to_i32, params["yt"], params["twitter"], params["twitch"], account_id)
|
||||
|
||||
"1"
|
||||
|
|
|
@ -20,8 +20,7 @@ CrystalGauntlet.endpoints["/uploadGJComment21.php"] = ->(context : HTTP::Server:
|
|||
end
|
||||
|
||||
if comment && !comment.blank?
|
||||
# todo: cap comment size
|
||||
comment_value = Base64.decode_string comment # usual b64, surprisingly
|
||||
comment_value = Base64.decode_string(comment)[..100-1]
|
||||
next_id = IDs.get_next_id("comments")
|
||||
DATABASE.exec("insert into comments (id, level_id, user_id, comment, percent) values (?, ?, ?, ?, ?)", next_id, level_id, user_id, comment_value, percent)
|
||||
return "1"
|
||||
|
|
|
@ -124,7 +124,7 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
|
|||
return "-1"
|
||||
end
|
||||
|
||||
DATABASE.exec("update levels set description = ?, password = ?, requested_stars = ?, version = ?, extra_data = ?, level_info = ?, editor_time = ?, editor_time_copies = ?, song_id = ?, length = ?, objects = ?, coins = ?, has_ldm = ?, two_player = ? where id = ?", description, params["password"] == "0" ? nil : params["password"].to_i, params["requestedStars"].to_i, params["levelVersion"].to_i, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i, params["wt2"].to_i, song_id.to_i, params["levelLength"].to_i, objects, coins, params["ldm"].to_i, two_player, params["levelID"].to_i)
|
||||
DATABASE.exec("update levels set description = ?, password = ?, requested_stars = ?, version = ?, extra_data = ?, level_info = ?, editor_time = ?, editor_time_copies = ?, song_id = ?, length = ?, objects = ?, coins = ?, has_ldm = ?, two_player = ? where id = ?", description[..140-1], params["password"] == "0" ? nil : params["password"].to_i, params["requestedStars"].to_i, params["levelVersion"].to_i, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i, params["wt2"].to_i, song_id.to_i, params["levelLength"].to_i, objects, coins, params["ldm"].to_i, two_player, params["levelID"].to_i)
|
||||
|
||||
File.write(DATA_FOLDER / "levels" / "#{params["levelID"]}.lvl", Base64.decode(params["levelString"]))
|
||||
|
||||
|
@ -133,7 +133,7 @@ CrystalGauntlet.endpoints["/uploadGJLevel21.php"] = ->(context : HTTP::Server::C
|
|||
# create new level
|
||||
next_id = IDs.get_next_id("levels")
|
||||
|
||||
DATABASE.exec("insert into levels (id, name, user_id, description, original, game_version, binary_version, password, requested_stars, unlisted, version, extra_data, level_info, editor_time, editor_time_copies, song_id, length, objects, coins, has_ldm, two_player) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", next_id, Clean.clean_special(params["levelName"]), user_id, description, params["original"].to_i32, params["gameVersion"].to_i32, params["binaryVersion"].to_i32, params["password"] == "0" ? nil : params["password"].to_i32, params["requestedStars"].to_i32, params["unlisted"].to_i32, params["levelVersion"].to_i32, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i32, params["wt2"].to_i32, song_id.to_i32, params["levelLength"].to_i32, objects, coins, params["ldm"].to_i32, two_player)
|
||||
DATABASE.exec("insert into levels (id, name, user_id, description, original, game_version, binary_version, password, requested_stars, unlisted, version, extra_data, level_info, editor_time, editor_time_copies, song_id, length, objects, coins, has_ldm, two_player) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)", next_id, Clean.clean_special(params["levelName"])[..20-1], user_id, description[..140-1], params["original"].to_i32, params["gameVersion"].to_i32, params["binaryVersion"].to_i32, params["password"] == "0" ? nil : params["password"].to_i32, params["requestedStars"].to_i32, params["unlisted"].to_i32, params["levelVersion"].to_i32, Clean.clean_special(extraString), Clean.clean_b64(params["levelInfo"]), params["wt"].to_i32, params["wt2"].to_i32, song_id.to_i32, params["levelLength"].to_i32, objects, coins, params["ldm"].to_i32, two_player)
|
||||
|
||||
File.write(DATA_FOLDER / "levels" / "#{next_id.to_s}.lvl", Base64.decode(params["levelString"]))
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ CrystalGauntlet.endpoints["/uploadGJMessage20.php"] = ->(context : HTTP::Server:
|
|||
end
|
||||
|
||||
next_message_id = IDs.get_next_id("messages")
|
||||
DATABASE.exec("insert into messages (id, from_account_id, to_account_id, subject, body) values (?, ?, ?, ?, ?)", next_message_id, account_id, params["toAccountID"].to_i, Base64.decode_string(params["subject"]), String.new(XorCrypt.encrypt_string(Base64.decode_string(params["body"]), XorCrypt::MESSAGE_XOR_KEY)))
|
||||
DATABASE.exec("insert into messages (id, from_account_id, to_account_id, subject, body) values (?, ?, ?, ?, ?)", next_message_id, account_id, params["toAccountID"].to_i, Base64.decode_string(params["subject"])[..35-1], String.new(XorCrypt.encrypt_string(Base64.decode_string(params["body"])[..200-1], XorCrypt::MESSAGE_XOR_KEY)))
|
||||
|
||||
return "1"
|
||||
}
|
||||
|
|
|
@ -14,8 +14,7 @@ CrystalGauntlet.endpoints["/uploadGJAccComment20.php"] = ->(context : HTTP::Serv
|
|||
comment = params["comment"]?
|
||||
|
||||
if comment && !comment.blank?
|
||||
# todo: cap comment size
|
||||
comment_value = Base64.decode_string comment # usual b64, surprisingly
|
||||
comment_value = Base64.decode_string(comment)[0..140-1]
|
||||
next_id = IDs.get_next_id("account_comments")
|
||||
DATABASE.exec("insert into account_comments (id, account_id, comment) values (?, ?, ?)", next_id, account_id, comment_value)
|
||||
return "1"
|
||||
|
|
Loading…
Reference in New Issue