fixed sql injektion

This commit is contained in:
2000-Trek 2023-07-05 22:05:50 +02:00
parent d015a68c8c
commit 6e377f8708

View file

@ -128,7 +128,7 @@ def confirm_remove_user():
@app.route("/removeuser", methods=['GET']) @app.route("/removeuser", methods=['GET'])
def remove_user(): def remove_user():
user_id = request.args.get("id") user_id = request.args.get("id")
c.execute(f"SELECT * FROM users WHERE id='{user_id}'") c.execute(f"SELECT * FROM users WHERE id=?", [user_id])
users = c.fetchall() users = c.fetchall()
if users != []: if users != []:
user_name = users[0][1] user_name = users[0][1]
@ -275,7 +275,7 @@ def get_id():
global finished global finished
global message global message
tag_id = request.args.get("id") tag_id = request.args.get("id")
c.execute(f"SELECT * FROM tags WHERE tagid ='{tag_id}'") c.execute(f"SELECT * FROM tags WHERE tagid =?", [tag_id])
tag_list = c.fetchall() tag_list = c.fetchall()
if users.qsize() > 0: if users.qsize() > 0: