made API more injection-resistant (lmao)

author: Silas Bartha <silas@exvacuum.dev> 2025-02-12 18:55:47 -0500
committer: Silas Bartha <silas@exvacuum.dev> 2025-02-12 18:55:47 -0500
commit: 462399de435c01ad342fe95a1f741920cbe488b0 (patch)
tree: 124b1847946db2b2d7d020ae50f4ef938d99e85f
parent: abc64e2dffe1baa5c77e6eb8238a9a756bc4549e (diff)
2 files changed, 6 insertions, 6 deletions
diff --git a/api/api.py b/api/api.py
index f5fd677..3b74bfc 100644
--- a/api/api.py
+++ b/api/api.py
@@ -71,16 +71,16 @@ def remove_message():
     cur = db.cursor()
     token = request.form['token']
     message_id = request.form['message_id']
-    res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'")
+    res = cur.execute("SELECT user_id FROM user WHERE token= ?", (token,))
     res = res.fetchone()
     if res is not None:
         (user_id,) = res
-        res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'")
+        res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,))
         res = res.fetchone()
         if res is not None:
             (message_id, message_user_id) = res
             if message_user_id == user_id:
-                cur.execute(f"DELETE FROM message WHERE message_id='{message_id}'")
+                cur.execute("DELETE FROM message WHERE message_id= ?", (message_id,))
                 db.commit()
                 return Response(status=HTTPStatus.NO_CONTENT)
             else:
@@ -97,16 +97,16 @@ def edit_message():
     token = request.form['token']
     message_id = request.form['message_id']
     new_message = request.form['message']
-    res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'")
+    res = cur.execute("SELECT user_id FROM user WHERE token = ?", (token,))
     res = res.fetchone()
     if res is not None and new_message is not None:
         (user_id,) = res
-        res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'")
+        res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,))
         res = res.fetchone()
         if res is not None:
             (message_id, message_user_id) = res
             if message_user_id == user_id:
-                cur.execute(f"UPDATE message SET message = '{new_message}' WHERE message_id='{message_id}'");
+                cur.execute("UPDATE message SET message = ? WHERE message_id= ?", (new_message, message_id));
                 db.commit()
                 return Response(status=HTTPStatus.NO_CONTENT)
             else:
diff --git a/api/forum.db b/api/forum.db
deleted file mode 100644
index ef88bf9..0000000
--- a/api/forum.db
+++ /dev/null
author	Silas Bartha <silas@exvacuum.dev>	2025-02-12 18:55:47 -0500
committer	Silas Bartha <silas@exvacuum.dev>	2025-02-12 18:55:47 -0500
commit	462399de435c01ad342fe95a1f741920cbe488b0 (patch)
tree	124b1847946db2b2d7d020ae50f4ef938d99e85f
parent	abc64e2dffe1baa5c77e6eb8238a9a756bc4549e (diff)