1
0
Fork 0
forked from bton/matekasse

added escape

This commit is contained in:
bton 2024-03-06 21:31:00 +01:00
parent c86b91a246
commit 3127e2de1f
2 changed files with 14 additions and 14 deletions

View file

@ -2,7 +2,6 @@ import queue, time, uuid, json, logging, datetime, os
from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g
from flask_socketio import SocketIO, join_room, leave_room from flask_socketio import SocketIO, join_room, leave_room
from flask_session import Session from flask_session import Session
from markupsafe import escape
from Website.db import get_db from Website.db import get_db
import Website.db as db import Website.db as db
from datetime import datetime from datetime import datetime

View file

@ -1,4 +1,5 @@
from re import M from re import M
from markupsafe import escape
import sqlite3 import sqlite3
from datetime import datetime from datetime import datetime
import click import click
@ -13,44 +14,44 @@ def log(statement, user_id, before, after, change):
def add_user(after): def add_user(after):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after]) c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)])
user_id = c.lastrowid user_id = c.lastrowid
log("add_user", user_id=user_id, after=after) log("add_user", user_id=escape(user_id), after=escape(after))
db.commit() db.commit()
def remove_user(user_id): def remove_user(user_id):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM users WHERE id = ?", [user_id]) c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)])
user_name = c.fetchone()[1] user_name = c.fetchone()[1]
c.execute("SELECT * FROM tags WHERE userid = ?", [user_id]) c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)])
for tag in c.fetchall(): for tag in c.fetchall():
remove_tag(tag[0]) remove_tag(tag[0])
c.execute("DELETE FROM users WHERE id = ?", [user_id]) c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)])
log("remove_user", user_id=user_id, before=user_name) log("remove_user", user_id=escape(user_id), before=escape(user_name))
db.commit() db.commit()
def add_tag(user_id, tag_id): def add_tag(user_id, tag_id):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id]) c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)])
db.commit() db.commit()
log("addtag", after=tag_id, user_id=user_id) log("addtag", after=escape(tag_id), user_id=escape(user_id))
def remove_tag(tag_id): def remove_tag(tag_id):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id]) c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)])
user_id = c.fetchone()[1] user_id = c.fetchone()[1]
c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id]) c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)])
log("removetag", before=tag_id, user_id=user_id) log("removetag", before=escape(tag_id), user_id=escape(user_id))
db.commit() db.commit()
def change_balance(user_id, change): def change_balance(user_id, change):
db = get_db() db = get_db()
c = db.cursor() c = db.cursor()
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id]) c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)])
log("balance", user_id=user_id, change=change) log("balance", user_id=escape(user_id), change=escape(change))
db.commit() db.commit()
def get_db(): def get_db():