soaos/forum
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

made API more injection-resistant (lmao)

Browse Source
This commit is contained in:
Silas Bartha 2025-02-12 18:55:47 -05:00
parent abc64e2dff
commit 462399de43
2 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/api.py
View File

@ -71,16 +71,16 @@ def remove_message():
cur = db.cursor() cur = db.cursor()
token = request.form['token'] token = request.form['token']
message_id = request.form['message_id'] message_id = request.form['message_id']
res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'") res = cur.execute("SELECT user_id FROM user WHERE token= ?", (token,))
res = res.fetchone() res = res.fetchone()
if res is not None: if res is not None:
(user_id,) = res (user_id,) = res
res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'") res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,))
res = res.fetchone() res = res.fetchone()
if res is not None: if res is not None:
(message_id, message_user_id) = res (message_id, message_user_id) = res
if message_user_id == user_id: if message_user_id == user_id:
cur.execute(f"DELETE FROM message WHERE message_id='{message_id}'") cur.execute("DELETE FROM message WHERE message_id= ?", (message_id,))
db.commit() db.commit()
return Response(status=HTTPStatus.NO_CONTENT) return Response(status=HTTPStatus.NO_CONTENT)
else: else:
@ -97,16 +97,16 @@ def edit_message():
token = request.form['token'] token = request.form['token']
message_id = request.form['message_id'] message_id = request.form['message_id']
new_message = request.form['message'] new_message = request.form['message']
res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'") res = cur.execute("SELECT user_id FROM user WHERE token = ?", (token,))
res = res.fetchone() res = res.fetchone()
if res is not None and new_message is not None: if res is not None and new_message is not None:
(user_id,) = res (user_id,) = res
res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'") res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,))
res = res.fetchone() res = res.fetchone()
if res is not None: if res is not None:
(message_id, message_user_id) = res (message_id, message_user_id) = res
if message_user_id == user_id: if message_user_id == user_id:
cur.execute(f"UPDATE message SET message = '{new_message}' WHERE message_id='{message_id}'"); cur.execute("UPDATE message SET message = ? WHERE message_id= ?", (new_message, message_id));
db.commit() db.commit()
return Response(status=HTTPStatus.NO_CONTENT) return Response(status=HTTPStatus.NO_CONTENT)
else: else:

BIN
api/forum.db
View File

Binary file not shown.