From 04fd8a20c205e603df0072024a2afe92eaed324c Mon Sep 17 00:00:00 2001 From: bton Date: Wed, 6 Mar 2024 21:38:53 +0100 Subject: [PATCH] added escape --- Website/db.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/Website/db.py b/Website/db.py index 2cc908d..47f440d 100644 --- a/Website/db.py +++ b/Website/db.py @@ -14,44 +14,44 @@ def log(statement, user_id, before, after, change): def add_user(after): db = get_db() c = db.cursor() - c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)]) + c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) user_id = c.lastrowid - log("add_user", user_id=escape(user_id), after=escape(after)) + log("add_user", user_id=user_id, after=after) db.commit() def remove_user(user_id): db = get_db() c = db.cursor() - c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)]) + c.execute("SELECT * FROM users WHERE id = ?", [user_id]) user_name = c.fetchone()[1] - c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)]) + c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) for tag in c.fetchall(): remove_tag(tag[0]) - c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)]) - log("remove_user", user_id=escape(user_id), before=escape(user_name)) + c.execute("DELETE FROM users WHERE id = ?", [user_id]) + log("remove_user", user_id=user_id, before=user_name) db.commit() def add_tag(user_id, tag_id): db = get_db() c = db.cursor() - c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)]) + c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) db.commit() - log("addtag", after=escape(tag_id), user_id=escape(user_id)) + log("addtag", after=tag_id, user_id=user_id) def remove_tag(tag_id): db = get_db() c = db.cursor() - c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)]) + c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) user_id = c.fetchone()[1] - c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)]) - log("removetag", before=escape(tag_id), user_id=escape(user_id)) + c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) + log("removetag", before=tag_id, user_id=user_id) db.commit() def change_balance(user_id, change): db = get_db() c = db.cursor() - c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)]) - log("balance", user_id=escape(user_id), change=escape(change)) + c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) + log("balance", user_id=user_id, change=change) db.commit() def get_db():