forked from bton/matekasse
fixed sql injektion
This commit is contained in:
parent
29825b8290
commit
ebb942a9a2
3 changed files with 12 additions and 10 deletions
18
main.py
18
main.py
|
@ -84,7 +84,7 @@ def list():
|
||||||
@app.route("/list/user", methods=['GET'])
|
@app.route("/list/user", methods=['GET'])
|
||||||
def user_info():
|
def user_info():
|
||||||
id = request.args.get("id")
|
id = request.args.get("id")
|
||||||
c.execute(f"SELECT * FROM users WHERE id='{id}'")
|
c.execute(f"SELECT * FROM users WHERE (id) VALUES (?)", [id])
|
||||||
user_list = c.fetchall()
|
user_list = c.fetchall()
|
||||||
if user_list != []:
|
if user_list != []:
|
||||||
user = user_list[0]
|
user = user_list[0]
|
||||||
|
@ -289,14 +289,14 @@ def get_id():
|
||||||
if c.fetchall() != []:
|
if c.fetchall() != []:
|
||||||
message = "Error: 170"
|
message = "Error: 170"
|
||||||
finished = queue_item
|
finished = queue_item
|
||||||
return make_response(json.dumps({"mode":"0","error":"170"}))
|
return make_response(json.dumps({"mode":"error","error":"170"}))
|
||||||
else:
|
else:
|
||||||
c.execute(f"INSERT OR IGNORE INTO tags (tagid, userid) VALUES ({tag_id}, {user})")
|
c.execute(f"INSERT OR IGNORE INTO tags (tagid, userid) VALUES ({tag_id}, {user})")
|
||||||
message = f"Added {tag_id} to {username}"
|
message = f"Added {tag_id} to {username}"
|
||||||
db_log.info(message)
|
db_log.info(message)
|
||||||
finished = queue_item
|
finished = queue_item
|
||||||
conn.commit()
|
conn.commit()
|
||||||
return make_response(json.dumps({"mode":"2","username":username,"code":"1"}))
|
return make_response(json.dumps({"mode":"2","username":username,"message":"1"}))
|
||||||
elif state == "remove":
|
elif state == "remove":
|
||||||
c.execute(f"SELECT * FROM tags WHERE (tagid = {tag_id} AND userid = {user})")
|
c.execute(f"SELECT * FROM tags WHERE (tagid = {tag_id} AND userid = {user})")
|
||||||
tags = c.fetchall()
|
tags = c.fetchall()
|
||||||
|
@ -306,14 +306,14 @@ def get_id():
|
||||||
db_log.info(message)
|
db_log.info(message)
|
||||||
finished = queue_item
|
finished = queue_item
|
||||||
conn.commit()
|
conn.commit()
|
||||||
return make_response(json.dumps({"mode":"2","username":username,"code":"2"}))
|
return make_response(json.dumps({"mode":"2","username":username,"message":"2"}))
|
||||||
else:
|
else:
|
||||||
message = "054"
|
message = "054"
|
||||||
finished = queue_item
|
finished = queue_item
|
||||||
return make_response(json.dumps({"mode":"0","error":"054"}))
|
return make_response(json.dumps({"mode":"error","error":"054"}))
|
||||||
finished = queue_item
|
finished = queue_item
|
||||||
socketio.emit("update", "update")
|
socketio.emit("update", "update")
|
||||||
return make_response(json.dumps({"mode":"0","error":"418"}))
|
return make_response(json.dumps({"mode":"error","error":"418"}))
|
||||||
|
|
||||||
elif tag_list != []:
|
elif tag_list != []:
|
||||||
tag = tag_list[0]
|
tag = tag_list[0]
|
||||||
|
@ -328,11 +328,11 @@ def get_id():
|
||||||
user = c.fetchall()[0]
|
user = c.fetchall()[0]
|
||||||
db_log.info(f"Changed the balance from user {user[0]} from {balance_old} to {user[2]}")
|
db_log.info(f"Changed the balance from user {user[0]} from {balance_old} to {user[2]}")
|
||||||
socketio.emit("update", "update")
|
socketio.emit("update", "update")
|
||||||
return make_response(json.dumps({"mode":"1", "username":user[1], "balance":user[2]}))
|
return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user[2]}))
|
||||||
else:
|
else:
|
||||||
return make_response(json.dumps({"mode":"0", "error":"043"}))
|
return make_response(json.dumps({"mode":"error", "error":"043"}))
|
||||||
socketio.emit("update", "update")
|
socketio.emit("update", "update")
|
||||||
return make_response(json.dumps({"mode":"0","error":"054"}))
|
return make_response(json.dumps({"mode":"error","error":"054"}))
|
||||||
|
|
||||||
#Documentation
|
#Documentation
|
||||||
@app.route("/documentation")
|
@app.route("/documentation")
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
<!DOCTYPE html>
|
<!DOCTYPE html>
|
||||||
<html lang="en">
|
<html lang="en">
|
||||||
<script src="/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script>
|
<script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/4.0.1/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" charset="utf-8">
|
<script type="text/javascript" charset="utf-8">
|
||||||
var socket = io();
|
var socket = io();
|
||||||
var change = {{change}}
|
var change = {{change}}
|
||||||
|
|
|
@ -11,6 +11,8 @@
|
||||||
<p> <a href="/">index page</a> | <a href="/list">user and tag list</a></p>
|
<p> <a href="/">index page</a> | <a href="/list">user and tag list</a></p>
|
||||||
</div>
|
</div>
|
||||||
<h1 class="header"> <u>Documentation</u> </h1>
|
<h1 class="header"> <u>Documentation</u> </h1>
|
||||||
|
<p>http://matekasse.server.c3h/api/tag_id?={tag_id}</p>
|
||||||
|
<p>response:</p>
|
||||||
<p> </p>
|
<p> </p>
|
||||||
<div id="text">
|
<div id="text">
|
||||||
<h2>API:</h2>
|
<h2>API:</h2>
|
||||||
|
|
Loading…
Reference in a new issue