From 3127e2de1f21dec0bf08013193380274adbf345f Mon Sep 17 00:00:00 2001 From: bton Date: Wed, 6 Mar 2024 21:31:00 +0100 Subject: [PATCH] added escape --- Website/__init__.py | 1 - Website/db.py | 27 ++++++++++++++------------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Website/__init__.py b/Website/__init__.py index 059668a..daf6a1e 100644 --- a/Website/__init__.py +++ b/Website/__init__.py @@ -2,7 +2,6 @@ import queue, time, uuid, json, logging, datetime, os from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g from flask_socketio import SocketIO, join_room, leave_room from flask_session import Session -from markupsafe import escape from Website.db import get_db import Website.db as db from datetime import datetime diff --git a/Website/db.py b/Website/db.py index f586494..2cc908d 100644 --- a/Website/db.py +++ b/Website/db.py @@ -1,4 +1,5 @@ from re import M +from markupsafe import escape import sqlite3 from datetime import datetime import click @@ -13,44 +14,44 @@ def log(statement, user_id, before, after, change): def add_user(after): db = get_db() c = db.cursor() - c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) + c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)]) user_id = c.lastrowid - log("add_user", user_id=user_id, after=after) + log("add_user", user_id=escape(user_id), after=escape(after)) db.commit() def remove_user(user_id): db = get_db() c = db.cursor() - c.execute("SELECT * FROM users WHERE id = ?", [user_id]) + c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)]) user_name = c.fetchone()[1] - c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) + c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)]) for tag in c.fetchall(): remove_tag(tag[0]) - c.execute("DELETE FROM users WHERE id = ?", [user_id]) - log("remove_user", user_id=user_id, before=user_name) + c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)]) + log("remove_user", user_id=escape(user_id), before=escape(user_name)) db.commit() def add_tag(user_id, tag_id): db = get_db() c = db.cursor() - c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) + c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)]) db.commit() - log("addtag", after=tag_id, user_id=user_id) + log("addtag", after=escape(tag_id), user_id=escape(user_id)) def remove_tag(tag_id): db = get_db() c = db.cursor() - c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) + c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)]) user_id = c.fetchone()[1] - c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) - log("removetag", before=tag_id, user_id=user_id) + c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)]) + log("removetag", before=escape(tag_id), user_id=escape(user_id)) db.commit() def change_balance(user_id, change): db = get_db() c = db.cursor() - c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) - log("balance", user_id=user_id, change=change) + c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)]) + log("balance", user_id=escape(user_id), change=escape(change)) db.commit() def get_db():