forked from bton/matekasse
added escape
This commit is contained in:
parent
c86b91a246
commit
3127e2de1f
2 changed files with 14 additions and 14 deletions
|
@ -2,7 +2,6 @@ import queue, time, uuid, json, logging, datetime, os
|
||||||
from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g
|
from flask import Flask, render_template, render_template_string, request, make_response, session, send_file, g
|
||||||
from flask_socketio import SocketIO, join_room, leave_room
|
from flask_socketio import SocketIO, join_room, leave_room
|
||||||
from flask_session import Session
|
from flask_session import Session
|
||||||
from markupsafe import escape
|
|
||||||
from Website.db import get_db
|
from Website.db import get_db
|
||||||
import Website.db as db
|
import Website.db as db
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
from re import M
|
from re import M
|
||||||
|
from markupsafe import escape
|
||||||
import sqlite3
|
import sqlite3
|
||||||
from datetime import datetime
|
from datetime import datetime
|
||||||
import click
|
import click
|
||||||
|
@ -13,44 +14,44 @@ def log(statement, user_id, before, after, change):
|
||||||
def add_user(after):
|
def add_user(after):
|
||||||
db = get_db()
|
db = get_db()
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [after])
|
c.execute("INSERT or IGNORE INTO users (username, balance) VALUES (?, 0)", [escape(after)])
|
||||||
user_id = c.lastrowid
|
user_id = c.lastrowid
|
||||||
log("add_user", user_id=user_id, after=after)
|
log("add_user", user_id=escape(user_id), after=escape(after))
|
||||||
db.commit()
|
db.commit()
|
||||||
|
|
||||||
def remove_user(user_id):
|
def remove_user(user_id):
|
||||||
db = get_db()
|
db = get_db()
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("SELECT * FROM users WHERE id = ?", [user_id])
|
c.execute("SELECT * FROM users WHERE id = ?", [escape(user_id)])
|
||||||
user_name = c.fetchone()[1]
|
user_name = c.fetchone()[1]
|
||||||
c.execute("SELECT * FROM tags WHERE userid = ?", [user_id])
|
c.execute("SELECT * FROM tags WHERE userid = ?", [escape(user_id)])
|
||||||
for tag in c.fetchall():
|
for tag in c.fetchall():
|
||||||
remove_tag(tag[0])
|
remove_tag(tag[0])
|
||||||
c.execute("DELETE FROM users WHERE id = ?", [user_id])
|
c.execute("DELETE FROM users WHERE id = ?", [escape(user_id)])
|
||||||
log("remove_user", user_id=user_id, before=user_name)
|
log("remove_user", user_id=escape(user_id), before=escape(user_name))
|
||||||
db.commit()
|
db.commit()
|
||||||
|
|
||||||
def add_tag(user_id, tag_id):
|
def add_tag(user_id, tag_id):
|
||||||
db = get_db()
|
db = get_db()
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [tag_id, user_id])
|
c.execute("INSERT OR IGNORE INTO tags (tagid, userid) VALUES ?, ?)", [escape(tag_id), escape(user_id)])
|
||||||
db.commit()
|
db.commit()
|
||||||
log("addtag", after=tag_id, user_id=user_id)
|
log("addtag", after=escape(tag_id), user_id=escape(user_id))
|
||||||
|
|
||||||
def remove_tag(tag_id):
|
def remove_tag(tag_id):
|
||||||
db = get_db()
|
db = get_db()
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("SELECT * FROM tags WHERE tagid = ?", [tag_id])
|
c.execute("SELECT * FROM tags WHERE tagid = ?", [escape(tag_id)])
|
||||||
user_id = c.fetchone()[1]
|
user_id = c.fetchone()[1]
|
||||||
c.execute("DELETE FROM tags WHERE tagid = ?", [tag_id])
|
c.execute("DELETE FROM tags WHERE tagid = ?", [escape(tag_id)])
|
||||||
log("removetag", before=tag_id, user_id=user_id)
|
log("removetag", before=escape(tag_id), user_id=escape(user_id))
|
||||||
db.commit()
|
db.commit()
|
||||||
|
|
||||||
def change_balance(user_id, change):
|
def change_balance(user_id, change):
|
||||||
db = get_db()
|
db = get_db()
|
||||||
c = db.cursor()
|
c = db.cursor()
|
||||||
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [change, user_id])
|
c.execute("UPDATE users SET balance = balance + ? WHERE id=?", [escape(change), escape(user_id)])
|
||||||
log("balance", user_id=user_id, change=change)
|
log("balance", user_id=escape(user_id), change=escape(change))
|
||||||
db.commit()
|
db.commit()
|
||||||
|
|
||||||
def get_db():
|
def get_db():
|
||||||
|
|
Loading…
Reference in a new issue