bton/matekasse
2
1
Fork 2
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity

Added security to prevent sql errors in /user

Browse source
This commit is contained in:
2000-Trek 2023-06-14 18:40:24 +02:00
parent ed3160a5ac
commit fda2fb6ffd
1 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
main.py
View file

@ -46,7 +46,7 @@ def list():
@app.route("/list/user", methods=['GET']) @app.route("/list/user", methods=['GET'])
def user_info(): def user_info():
username = request.args.get("user") username = '%s' % request.args.get("user")
c.execute("SELECT * FROM users WHERE username = '%s'" % username) c.execute("SELECT * FROM users WHERE username = '%s'" % username)
user = c.fetchall() user = c.fetchall()
if user != []: if user != []:
@ -67,8 +67,8 @@ def new_user():
@app.route("/removeuser", methods=['GET']) @app.route("/removeuser", methods=['GET'])
def remove_user(): def remove_user():
user_id = '%s' % request.args.get("id") user_id = '%s' % request.args.get("id")
c.execute(f"DELETE * FROM tags WHERE (userid = {user_id}) ") #Ist hier noch eine Bestätigung nötig? c.execute(f"DELETE * FROM tags WHERE userid={user_id}") #Noch eine Bestätigung nötig
c.execute(f"DELETE * FROM users WHERE (id={user_id})") c.execute(f"DELETE * FROM users WHERE id={user_id}")
conn.commit() conn.commit()
@app.route("/adduser/user", methods=['GET']) @app.route("/adduser/user", methods=['GET'])