nmeum/matekasse
1
0
Fork 0
forked from bton/matekasse
Code Pull requests Activity

fixed sql injektion

Browse source
This commit is contained in:
2000-Trek 2023-07-05 21:17:36 +02:00
parent 29825b8290
commit ebb942a9a2
3 changed files with 12 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
main.py
View file

@ -84,7 +84,7 @@ def list():
@app.route("/list/user", methods=['GET']) @app.route("/list/user", methods=['GET'])
def user_info(): def user_info():
id = request.args.get("id") id = request.args.get("id")
c.execute(f"SELECT * FROM users WHERE id='{id}'") c.execute(f"SELECT * FROM users WHERE (id) VALUES (?)", [id])
user_list = c.fetchall() user_list = c.fetchall()
if user_list != []: if user_list != []:
user = user_list[0] user = user_list[0]
@ -289,14 +289,14 @@ def get_id():
if c.fetchall() != []: if c.fetchall() != []:
message = "Error: 170" message = "Error: 170"
finished = queue_item finished = queue_item
return make_response(json.dumps({"mode":"0","error":"170"})) return make_response(json.dumps({"mode":"error","error":"170"}))
else: else:
c.execute(f"INSERT OR IGNORE INTO tags (tagid, userid) VALUES ({tag_id}, {user})") c.execute(f"INSERT OR IGNORE INTO tags (tagid, userid) VALUES ({tag_id}, {user})")
message = f"Added {tag_id} to {username}" message = f"Added {tag_id} to {username}"
db_log.info(message) db_log.info(message)
finished = queue_item finished = queue_item
conn.commit() conn.commit()
return make_response(json.dumps({"mode":"2","username":username,"code":"1"})) return make_response(json.dumps({"mode":"2","username":username,"message":"1"}))
elif state == "remove": elif state == "remove":
c.execute(f"SELECT * FROM tags WHERE (tagid = {tag_id} AND userid = {user})") c.execute(f"SELECT * FROM tags WHERE (tagid = {tag_id} AND userid = {user})")
tags = c.fetchall() tags = c.fetchall()
@ -306,14 +306,14 @@ def get_id():
db_log.info(message) db_log.info(message)
finished = queue_item finished = queue_item
conn.commit() conn.commit()
return make_response(json.dumps({"mode":"2","username":username,"code":"2"})) return make_response(json.dumps({"mode":"2","username":username,"message":"2"}))
else: else:
message = "054" message = "054"
finished = queue_item finished = queue_item
return make_response(json.dumps({"mode":"0","error":"054"})) return make_response(json.dumps({"mode":"error","error":"054"}))
finished = queue_item finished = queue_item
socketio.emit("update", "update") socketio.emit("update", "update")
return make_response(json.dumps({"mode":"0","error":"418"})) return make_response(json.dumps({"mode":"error","error":"418"}))
elif tag_list != []: elif tag_list != []:
tag = tag_list[0] tag = tag_list[0]
@ -328,11 +328,11 @@ def get_id():
user = c.fetchall()[0] user = c.fetchall()[0]
db_log.info(f"Changed the balance from user {user[0]} from {balance_old} to {user[2]}") db_log.info(f"Changed the balance from user {user[0]} from {balance_old} to {user[2]}")
socketio.emit("update", "update") socketio.emit("update", "update")
return make_response(json.dumps({"mode":"1", "username":user[1], "balance":user[2]})) return make_response(json.dumps({"mode":"balance", "username":user[1], "balance":user[2]}))
else: else:
return make_response(json.dumps({"mode":"0", "error":"043"})) return make_response(json.dumps({"mode":"error", "error":"043"}))
socketio.emit("update", "update") socketio.emit("update", "update")
return make_response(json.dumps({"mode":"0","error":"054"})) return make_response(json.dumps({"mode":"error","error":"054"}))
#Documentation #Documentation
@app.route("/documentation") @app.route("/documentation")

2
templates/change.html
View file

@ -1,6 +1,6 @@
<!DOCTYPE html> <!DOCTYPE html>
<html lang="en"> <html lang="en">
<script src="/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/socket.io/4.0.1/socket.io.js" integrity="sha512-q/dWJ3kcmjBLU4Qc47E4A9kTB4m3wuTY7vkFJDTZKjTs8jhyGQnaUrxa0Ytd0ssMZhbNua9hE+E7Qv1j+DyZwA==" crossorigin="anonymous"></script>
<script type="text/javascript" charset="utf-8"> <script type="text/javascript" charset="utf-8">
var socket = io(); var socket = io();
var change = {{change}} var change = {{change}}

2
templates/documentation.html
View file

@ -11,6 +11,8 @@
<p> <a href="/">index page</a> | <a href="/list">user and tag list</a></p> <p> <a href="/">index page</a> | <a href="/list">user and tag list</a></p>
</div> </div>
<h1 class="header"> <u>Documentation</u> </h1> <h1 class="header"> <u>Documentation</u> </h1>
<p>http://matekasse.server.c3h/api/tag_id?={tag_id}</p>
<p>response:</p>
<p>&nbsp;</p> <p>&nbsp;</p>
<div id="text"> <div id="text">
<h2>API:</h2> <h2>API:</h2>