Skip to content

Commit

Permalink
⚠️ SQL QUERIES ARE SAFE NOW ⚠️
Browse files Browse the repository at this point in the history
  • Loading branch information
@DogukanUrker
DogukanUrker committed Jan 17, 2024
1 parent 6909bc1 commit 9f1417f
Show file tree
Hide file tree
Showing 20 changed files with 175 additions and 69 deletions.
56 changes: 43 additions & 13 deletions delete.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,29 +12,53 @@
def deletePost(postID):
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(f"select author from posts where id = {postID}")
cursor.execute(f"delete from posts where id = {postID}")
cursor.execute(f"update sqlite_sequence set seq = seq-1")
cursor.execute(
"""select author from posts where id = ? """,
[(postID)],
)
cursor.execute(
"""delete from posts where id = ? """,
[(postID)],
)
cursor.execute("update sqlite_sequence set seq = seq-1")
connection.commit()
connection.close()
connection = sqlite3.connect(DB_COMMENTS_ROOT)
cursor = connection.cursor()
cursor.execute(f"select count(*) from comments where post = {postID}")
cursor.execute(
"""select count(*) from comments where post = ? """,
[(postID)],
)
commentCount = list(cursor)[0][0]
cursor.execute(f"delete from comments where post = {postID}")
cursor.execute(f"update sqlite_sequence set seq = seq - {commentCount}")
cursor.execute(
"""delete from comments where post = ? """,
[(postID)],
)
cursor.execute(
"""update sqlite_sequence set seq = seq - ? """,
[(commentCount)],
)
connection.commit()
message("2", f'POST: "{postID}" DELETED')


def deleteUser(userName):
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(f'select * from users where lower(userName) = "{userName.lower()}"')
cursor.execute(f'select role from users where userName = "{session["userName"]}"')
cursor.execute(
"""select * from users where lower(userName) = ? """,
[(userName.lower())],
)
cursor.execute(
"""select role from users where userName = ? """,
[(session["userName"])],
)
perpetrator = cursor.fetchone()
cursor.execute(f'delete from users where lower(userName) = "{userName.lower()}"')
cursor.execute(f"update sqlite_sequence set seq = seq-1")
cursor.execute(
"""delete from users where lower(userName) = ? """,
[(userName.lower())],
)
cursor.execute("update sqlite_sequence set seq = seq-1")
connection.commit()
message("2", f'USER: "{userName}" DELETED')
match perpetrator[0] == "admin":
Expand All @@ -48,8 +72,14 @@ def deleteUser(userName):
def deleteComment(commentID):
connection = sqlite3.connect(DB_COMMENTS_ROOT)
cursor = connection.cursor()
cursor.execute(f"select user from comments where id = {commentID}")
cursor.execute(f"delete from comments where id = {commentID}")
cursor.execute(f"update sqlite_sequence set seq = seq-1")
cursor.execute(
"""select user from comments where id = ? """,
[(commentID)],
)
cursor.execute(
"""delete from comments where id = ? """,
[(commentID)],
)
cursor.execute("update sqlite_sequence set seq = seq-1")
connection.commit()
message("2", f'COMMENT: "{commentID}" DELETED')
6 changes: 4 additions & 2 deletions helpers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ def addPoints(points, user):
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'update users set points = points+{points} where userName = "{user}"'
"""update users set points = points+? where userName = ? """,
[(points), (user)],
)
connection.commit()
message("2", f'{points} POINTS ADDED TO "{user}"')
Expand All @@ -88,6 +89,7 @@ def getProfilePicture(userName):
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select profilePicture from users where lower(userName) = "{userName.lower()}"'
"""select profilePicture from users where lower(userName) = ? """,
[(userName.lower())],
)
return cursor.fetchone()[0]
3 changes: 2 additions & 1 deletion routes/accountSettings.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,8 @@ def accountSettings():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select userName from users where userName = "{session["userName"]}"'
"""select userName from users where userName = ? """,
[(session["userName"])],
)
user = cursor.fetchall()
if request.method == "POST":
Expand Down
3 changes: 2 additions & 1 deletion routes/adminPanel.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,8 @@ def adminPanel():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select role from users where userName = "{session["userName"]}"'
"""select role from users where userName = ? """,
[(session["userName"])],
)
role = cursor.fetchone()[0]
match role == "admin":
Expand Down
3 changes: 2 additions & 1 deletion routes/adminPanelComments.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ def adminPanelComments():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select role from users where userName = "{session["userName"]}"'
"""select role from users where userName = ? """,
[(session["userName"])],
)
role = cursor.fetchone()[0]
if request.method == "POST":
Expand Down
3 changes: 2 additions & 1 deletion routes/adminPanelPosts.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ def adminPanelPosts():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select role from users where userName = "{session["userName"]}"'
"""select role from users where userName = ? """,
[(session["userName"])],
)
role = cursor.fetchone()[0]
if request.method == "POST":
Expand Down
3 changes: 2 additions & 1 deletion routes/adminPanelUsers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ def adminPanelUsers():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select role from users where userName = "{session["userName"]}"'
"""select role from users where userName = ? """,
[(session["userName"])],
)
role = cursor.fetchone()[0]
if request.method == "POST":
Expand Down
6 changes: 4 additions & 2 deletions routes/changePassword.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ def changePassword():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select password from users where userName = "{session["userName"]}"'
"""select password from users where userName = ? """,
[(session["userName"])],
)
if sha256_crypt.verify(oldPassword, cursor.fetchone()[0]):
if oldPassword == password:
Expand All @@ -39,7 +40,8 @@ def changePassword():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'update users set password = "{newPassword}" where userName = "{session["userName"]}"'
"""update users set password = ? where userName = ? """,
[(newPassword), (session["userName"])],
)
connection.commit()
message(
Expand Down
3 changes: 2 additions & 1 deletion routes/changeProfilePicture.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@ def changeProfilePicture():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'update users set profilePicture = "{newProfilePicture}" where userName = "{session["userName"]}" '
"""update users set profilePicture = ? where userName = ? """,
[(newProfilePicture), (session["userName"])],
)
connection.commit()
message(
Expand Down
12 changes: 8 additions & 4 deletions routes/changeUserName.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,8 @@ def changeUserName():
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select userName from users where userName = "{newUserName}"'
"""select userName from users where userName = ? """,
[(newUserName)],
)
userNameCheck = cursor.fetchone()
match newUserName.isascii():
Expand All @@ -39,19 +40,22 @@ def changeUserName():
match userNameCheck == None:
case True:
cursor.execute(
f'update users set userName = "{newUserName}" where userName = "{session["userName"]}" '
"""update users set userName = ? where userName = ? """,
[(newUserName), (session["userName"])],
)
connection.commit()
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'update posts set Author = "{newUserName}" where author = "{session["userName"]}" '
"""update posts set Author = ? where author = ? """,
[(newUserName), (session["userName"])],
)
connection.commit()
connection = sqlite3.connect(DB_COMMENTS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'update comments set user = "{newUserName}" where user = "{session["userName"]}" '
"""update comments set user = ? where user = ? """,
[(newUserName), (session["userName"])],
)
connection.commit()
message(
Expand Down
6 changes: 4 additions & 2 deletions routes/dashboard.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,15 @@ def dashboard(userName):
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select * from posts where author = "{session["userName"]}"'
"""select * from posts where author = ? """,
[(session["userName"])],
)
posts = cursor.fetchall()
connection = sqlite3.connect(DB_COMMENTS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select * from comments where lower(user) = "{userName.lower()}"'
"""select * from comments where lower(user) = ? """,
[(userName.lower())],
)
if request.method == "POST":
if "postDeleteButton" in request.form:
Expand Down
16 changes: 11 additions & 5 deletions routes/editPost.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,19 +23,23 @@ def editPost(postID):
case True:
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(f"select id from posts")
cursor.execute("select id from posts")
posts = str(cursor.fetchall())
match str(postID) in posts:
case True:
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(f"select * from posts where id = {postID}")
cursor.execute(
"""select * from posts where id = ? """,
[(postID)],
)
post = cursor.fetchone()
message("2", f'POST: "{postID}" FOUND')
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select userName from users where userName="{session["userName"]}"'
"""select userName from users where userName = ? """,
[(session["userName"])],
)
match post[4] == session["userName"]:
case True:
Expand Down Expand Up @@ -70,10 +74,12 @@ def editPost(postID):
(postContent, post[0]),
)
cursor.execute(
f'update posts set lastEditDate = "{currentDate()}" where id = {post[0]}'
"""update posts set lastEditDate = ? where id = ? """,
[(currentDate()), (post[0])],
)
cursor.execute(
f'update posts set lastEditTime = "{currentTime()}" where id = {post[0]}'
"""update posts set lastEditTime = ? where id = ? """,
[(currentTime()), (post[0])],
)
connection.commit()
message("2", f'POST: "{postTitle}" EDITED')
Expand Down
3 changes: 2 additions & 1 deletion routes/login.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,8 @@ def login(direct):
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select * from users where lower(userName) = "{userName.lower()}"'
"""select * from users where lower(userName) = ? """,
[(userName.lower())],
)
user = cursor.fetchone()
if not user:
Expand Down
12 changes: 8 additions & 4 deletions routes/passwordReset.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,8 @@ def passwordReset(codeSent):
match code == passwordResetCode:
case True:
cursor.execute(
f'select password from users where lower(userName) = "{userName.lower()}"'
"""select password from users where lower(userName) = ? """,
[(userName.lower())],
)
oldPassword = cursor.fetchone()[0]
match password == passwordConfirm:
Expand All @@ -50,7 +51,8 @@ def passwordReset(codeSent):
case False:
password = sha256_crypt.hash(password)
cursor.execute(
f'update users set password = "{password}" where lower(userName) = "{userName.lower()}"'
"""update users set password = ? where lower(userName) = ? """,
[(password), (userName.lower())],
)
connection.commit()
messageDebugging(
Expand All @@ -75,11 +77,13 @@ def passwordReset(codeSent):
connection = sqlite3.connect(DB_USERS_ROOT)
cursor = connection.cursor()
cursor.execute(
f'select * from users where lower(userName) = "{userName.lower()}"'
"""select * from users where lower(userName) = ? """,
[(userName.lower())],
)
userNameDB = cursor.fetchone()
cursor.execute(
f'select * from users where lower(email) = "{email.lower()}"'
"""select * from users where lower(email) = ? """,
[(email.lower())],
)
emailDB = cursor.fetchone()
match not userNameDB or not emailDB:
Expand Down
17 changes: 13 additions & 4 deletions routes/post.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,16 +24,22 @@ def post(postID):
form = commentForm(request.form)
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(f"select id from posts")
cursor.execute("select id from posts")
posts = str(cursor.fetchall())
match str(postID) in posts:
case True:
message("2", f'POST: "{postID}" FOUND')
connection = sqlite3.connect(DB_POSTS_ROOT)
cursor = connection.cursor()
cursor.execute(f'select * from posts where id = "{postID}"')
cursor.execute(
"""select * from posts where id = ? """,
[(postID)],
)
post = cursor.fetchone()
cursor.execute(f'update posts set views = views+1 where id = "{postID}"')
cursor.execute(
"""update posts set views = views+1 where id = ? """,
[(postID)],
)
connection.commit()
if request.method == "POST":
if "postDeleteButton" in request.form:
Expand Down Expand Up @@ -63,7 +69,10 @@ def post(postID):
return redirect(f"/post/{postID}")
connection = sqlite3.connect(DB_COMMENTS_ROOT)
cursor = connection.cursor()
cursor.execute(f'select * from comments where post = "{postID}"')
cursor.execute(
"""select * from comments where post = ? """,
[(postID)],
)
comments = cursor.fetchall()
return render_template(
"post.html",
Expand Down
Loading

0 comments on commit 9f1417f

Please sign in to comment.