From ebb942a9a2409308015602187aeee78c42c70f06 Mon Sep 17 00:00:00 2001
From: 2000-Trek <anton@postmitdermaus.de>
Date: Wed, 5 Jul 2023 21:17:36 +0200
Subject: [PATCH] fixed sql injektion

---
 main.py                      | 18 +++++++++---------
 templates/change.html        |  2 +-
 templates/documentation.html |  2 ++
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/main.py b/main.py
index 85a360d..04ecd3a 100644
--- a/main.py
+++ b/main.py
@@ -84,7 +84,7 @@ def list():
 @app.route("/list/user", methods=['GET'])
 def user_info():
     id = request.args.get("id")
-    c.execute(f"SELECT * FROM users WHERE id='{id}'")
+    c.execute(f"SELECT * FROM users WHERE (id) VALUES (?)", [id])
     user_list = c.fetchall()
     if user_list != []:
         user = user_list[0]
@@ -289,14 +289,14 @@ def get_id():
             if c.fetchall() != []:
                 message = "Error: 170"
                 finished = queue_item
-                return make_response(json.dumps({"mode":"0","error":"170"}))
+                return make_response(json.dumps({"mode":"error","error":"170"}))
             else:
                 c.execute(f"INSERT OR IGNORE INTO tags (tagid, userid) VALUES ({tag_id}, {user})")
                 message = f"Added {tag_id} to {username}"
                 db_log.info(message)
                 finished = queue_item
                 conn.commit()
-                return make_response(json.dumps({"mode":"2","username":username,"code":"1"}))
+                return make_response(json.dumps({"mode":"2","username":username,"message":"1"}))
         elif state == "remove":
             c.execute(f"SELECT * FROM tags WHERE (tagid = {tag_id} AND userid = {user})")
             tags = c.fetchall()
@@ -306,14 +306,14 @@ def get_id():
                 db_log.info(message)
                 finished = queue_item
                 conn.commit()
-                return make_response(json.dumps({"mode":"2","username":username,"code":"2"}))
+                return make_response(json.dumps({"mode":"2","username":username,"message":"2"}))
             else:
                 message = "054"
                 finished = queue_item
-                return make_response(json.dumps({"mode":"0","error":"054"}))
+                return make_response(json.dumps({"mode":"error","error":"054"}))
         finished = queue_item
         socketio.emit("update", "update")
-        return make_response(json.dumps({"mode":"0","error":"418"}))
+        return make_response(json.dumps({"mode":"error","error":"418"}))
     
     elif tag_list != []:
         tag = tag_list[0]
@@ -328,11 +328,11 @@ def get_id():
                 user = c.fetchall()[0]
                 db_log.info(f"Changed the balance from user {user[0]} from {balance_old} to {user[2]}")
                 socketio.emit("update", "update")
-                return make_response(json.dumps({"mode":"1", "username":user[1], "balance":user[2]}))
+                return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user[2]}))
         else:
-            return make_response(json.dumps({"mode":"0", "error":"043"}))
+            return make_response(json.dumps({"mode":"error", "error":"043"}))
     socketio.emit("update", "update")
-    return make_response(json.dumps({"mode":"0","error":"054"}))
+    return make_response(json.dumps({"mode":"error","error":"054"}))
 
 #Documentation
 @app.route("/documentation")
diff --git a/templates/change.html b/templates/change.html
index 0f87766..c2d9635 100644
--- a/templates/change.html
+++ b/templates/change.html
@@ -1,6 +1,6 @@
 <!DOCTYPE html>
 <html lang="en">
-   <script src="/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script>
+   <script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/4.0.1/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script>
    <script type="text/javascript" charset="utf-8">
         var socket = io();
         var change = {{change}}
diff --git a/templates/documentation.html b/templates/documentation.html
index fe7840d..da4fa2b 100644
--- a/templates/documentation.html
+++ b/templates/documentation.html
@@ -11,6 +11,8 @@
             <p> <a href="/">index page</a> | <a href="/list">user and tag list</a></p>
         </div>
         <h1 class="header"> <u>Documentation</u> </h1>
+        <p>http://matekasse.server.c3h/api/tag_id?={tag_id}</p>
+        <p>response:</p>
         <p>&nbsp;</p> 
         <div id="text">
             <h2>API:</h2>