From 462399de435c01ad342fe95a1f741920cbe488b0 Mon Sep 17 00:00:00 2001 From: Silas Bartha Date: Wed, 12 Feb 2025 18:55:47 -0500 Subject: [PATCH] made API more injection-resistant (lmao) --- api/api.py | 12 ++++++------ api/forum.db | Bin 20480 -> 0 bytes 2 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 api/forum.db diff --git a/api/api.py b/api/api.py index f5fd677..3b74bfc 100644 --- a/api/api.py +++ b/api/api.py @@ -71,16 +71,16 @@ def remove_message(): cur = db.cursor() token = request.form['token'] message_id = request.form['message_id'] - res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'") + res = cur.execute("SELECT user_id FROM user WHERE token= ?", (token,)) res = res.fetchone() if res is not None: (user_id,) = res - res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'") + res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,)) res = res.fetchone() if res is not None: (message_id, message_user_id) = res if message_user_id == user_id: - cur.execute(f"DELETE FROM message WHERE message_id='{message_id}'") + cur.execute("DELETE FROM message WHERE message_id= ?", (message_id,)) db.commit() return Response(status=HTTPStatus.NO_CONTENT) else: @@ -97,16 +97,16 @@ def edit_message(): token = request.form['token'] message_id = request.form['message_id'] new_message = request.form['message'] - res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'") + res = cur.execute("SELECT user_id FROM user WHERE token = ?", (token,)) res = res.fetchone() if res is not None and new_message is not None: (user_id,) = res - res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'") + res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,)) res = res.fetchone() if res is not None: (message_id, message_user_id) = res if message_user_id == user_id: - cur.execute(f"UPDATE message SET message = '{new_message}' WHERE message_id='{message_id}'"); + cur.execute("UPDATE message SET message = ? WHERE message_id= ?", (new_message, message_id)); db.commit() return Response(status=HTTPStatus.NO_CONTENT) else: diff --git a/api/forum.db b/api/forum.db deleted file mode 100644 index ef88bf99e6bd4576014a1bac9387f0a18270d1f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 20480 zcmeI&J8v9S6ae7aT|a=xJ1COnAU8vSVoQ5h_x%tJ#@e80Lx4?O1k1AS)3M?Q#Et|) z0=c2$zqsH}q(GubLmi3#K*^bv7m>nb8;U4rq}jPMbN9@dZ>E`h?t`!H9iHc=oIXAF z=Z&b|uR5LTlcuSv>K3evu+Ek)G!|w%ucbHT?1GmHMx0q5r(9f2n`(Kd<+$ z>x{=y00mG01yBG5Pyhu`00mG01yJC10v9)X%WLcFor@pNeK^X;`RvRe%r*<#lhM}0 zQS)%?(|e=l>fFZFcKbKcUMt4S&(f#ewgXw?&Ik8C=me#h`JJsPy%HN%RdjwzF`~KPa>2!a8 zc71l$SlsF?t*x$h4yJd|MsL^dE4jBvX7OLm`uy}sKH0q8U0VBi^|~ugGiL2?4?N## zO;=!DUiq`Cf2~XXLI1b@Pkj!%xS#+Epa2S>01BW03ZMWApa2TIi2~#0-p-D5Dd-X+ zk%3Vnsj$Q;#))Kx3CpZ>#Tt`>)6Nqwf+Nz$NUSfGgq$e#vY6D zi6kXvxu;fTUW5|H#bgN6P7v9~v6Oq_GUKv1YMu1s1qh~CQP%TFiqMM4Ea8HMB@$Ci zIi^HKaV$6?i%6tcXCX6Ph-XR@8*@=cu%ty8_u61llxQL&#(6`e;{|S*a-u@!A#e{V zF_A2lIYp8S(?o(H@ey)#R*Dib&=xxGLNHsnW648iAr~Tr)DTQsl4UZUO5oL2<}7(h zjs$I>k4=eq4a_m>>`W**P&4j8u&6XEMk-=tgeMh?C$=zX(Ws~lDKZ_XD}oCxNh}d= zGqrtmu%u{hIfLg1&+|QapO^bDt9q~gxt8^1|7HD0edA4h$uVaXKmim$0Te(16hHwK zKmim$fwx;=qqozUXY6CS?Ksc4#!}mHo-vEXw&OhG5ew6fbBs0g+K%&#BXn=~cHW(5 zjG(Rmcl$4@`bqyqfBWrzQ}FIl00mG01yBG5Pyhu`00mG01^!duVy(BdvvaZh5q#>h z>@6d~6sXY~SBRA<6J;f}QKrDGp6BCrmkzBn!ceC;w^|6z2MysvC#8~3zyts$sTO+B z@SzY)Fl(sMlrzos-tqSrtKDfnALgW_4_1*(4dkPt>K-JN)j2iU2nDtH;OD9E@3NuO z)*3AsWiY3KQ3d&kA?K1&Cl%#F8E(X&5kqIB;nEn#m3B~K-#hWgxrvYS!NJANPMg<_ zHAh3r#VA5Ghq`>WhB%m%LA+6>SPu7?VP?kbr!njjI^>pd3W;##jDa}}ZDxE3yApt4 zj)pT-TabdxxO4#J;JI)owcdN2kB&~;`hT~+tf1