Fixed SQlite injektions

This commit is contained in:
2000-Trek 2023-06-16 19:20:25 +02:00
parent b47dbc0880
commit e5964c6143

View file

@ -59,7 +59,7 @@ def list():
@app.route("/list/user", methods=['GET'])
def user_info():
username = request.args.get("user")
c.execute("SELECT * FROM users WHERE username = '?'", [username])
c.execute("SELECT * FROM users WHERE username = ?", [username])
user_list = c.fetchall()
if user_list != []:
user = user_list[0]
@ -112,9 +112,9 @@ def remove_user():
@app.route("/adduser/user", methods=['GET'])
def adduser():
user = request.args.get("username")
c.execute("SELECT * FROM users WHERE username='%s'", user)
c.execute("SELECT * FROM users WHERE username=?", [user])
if c.fetchall() == []:
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (%(user)s, 0)", {'user': user})
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [user])
conn.commit()
return 'Added user <a href="/list">user and tag list</a> <p>The creator of this website accepts no liability for any linguistic or technical errors!</p>'
else: