From fda2fb6ffdbb6cd59d9b1ce800304f598e9ad974 Mon Sep 17 00:00:00 2001
From: 2000-Trek <anton@postmitdermaus.de>
Date: Wed, 14 Jun 2023 18:40:24 +0200
Subject: [PATCH] Added security to prevent sql errors in /user

---
 main.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main.py b/main.py
index 9e5c43f..2ef109f 100644
--- a/main.py
+++ b/main.py
@@ -46,7 +46,7 @@ def list():
 
 @app.route("/list/user", methods=['GET'])
 def user_info():
-    username = request.args.get("user")
+    username = '%s' % request.args.get("user")
     c.execute("SELECT * FROM users WHERE username = '%s'" % username)
     user = c.fetchall()
     if user != []:
@@ -67,8 +67,8 @@ def new_user():
 @app.route("/removeuser", methods=['GET'])
 def remove_user():
     user_id = '%s' % request.args.get("id")
-    c.execute(f"DELETE * FROM tags WHERE (userid = {user_id}) ")   #Ist hier noch eine Bestätigung nötig?
-    c.execute(f"DELETE * FROM users WHERE (id={user_id})")
+    c.execute(f"DELETE * FROM tags WHERE userid={user_id}")   #Noch eine Bestätigung nötig
+    c.execute(f"DELETE * FROM users WHERE id={user_id}")
     conn.commit()
 
 @app.route("/adduser/user", methods=['GET'])