From 9f1417fb45665192dd6733279c964d32bf6b57c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Do=C4=9Fukan=20=C3=9Crker?= Date: Wed, 17 Jan 2024 14:19:05 +0300 Subject: [PATCH] =?UTF-8?q?=E2=9A=A0=EF=B8=8F=20SQL=20QUERIES=20ARE=20SAFE?= =?UTF-8?q?=20NOW=20=E2=9A=A0=EF=B8=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- delete.py | 56 ++++++++++++++++++++++++++-------- helpers.py | 6 ++-- routes/accountSettings.py | 3 +- routes/adminPanel.py | 3 +- routes/adminPanelComments.py | 3 +- routes/adminPanelPosts.py | 3 +- routes/adminPanelUsers.py | 3 +- routes/changePassword.py | 6 ++-- routes/changeProfilePicture.py | 3 +- routes/changeUserName.py | 12 +++++--- routes/dashboard.py | 6 ++-- routes/editPost.py | 16 +++++++--- routes/login.py | 3 +- routes/passwordReset.py | 12 +++++--- routes/post.py | 17 ++++++++--- routes/search.py | 45 +++++++++++++++++++++------ routes/setUserRole.py | 6 ++-- routes/signup.py | 21 ++++++++----- routes/user.py | 8 ++--- routes/verifyUser.py | 12 +++++--- 20 files changed, 175 insertions(+), 69 deletions(-) diff --git a/delete.py b/delete.py index ed892635..e3b3873c 100644 --- a/delete.py +++ b/delete.py @@ -12,17 +12,32 @@ def deletePost(postID): connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() - cursor.execute(f"select author from posts where id = {postID}") - cursor.execute(f"delete from posts where id = {postID}") - cursor.execute(f"update sqlite_sequence set seq = seq-1") + cursor.execute( + """select author from posts where id = ? """, + [(postID)], + ) + cursor.execute( + """delete from posts where id = ? """, + [(postID)], + ) + cursor.execute("update sqlite_sequence set seq = seq-1") connection.commit() connection.close() connection = sqlite3.connect(DB_COMMENTS_ROOT) cursor = connection.cursor() - cursor.execute(f"select count(*) from comments where post = {postID}") + cursor.execute( + """select count(*) from comments where post = ? """, + [(postID)], + ) commentCount = list(cursor)[0][0] - cursor.execute(f"delete from comments where post = {postID}") - cursor.execute(f"update sqlite_sequence set seq = seq - {commentCount}") + cursor.execute( + """delete from comments where post = ? """, + [(postID)], + ) + cursor.execute( + """update sqlite_sequence set seq = seq - ? """, + [(commentCount)], + ) connection.commit() message("2", f'POST: "{postID}" DELETED') @@ -30,11 +45,20 @@ def deletePost(postID): def deleteUser(userName): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() - cursor.execute(f'select * from users where lower(userName) = "{userName.lower()}"') - cursor.execute(f'select role from users where userName = "{session["userName"]}"') + cursor.execute( + """select * from users where lower(userName) = ? """, + [(userName.lower())], + ) + cursor.execute( + """select role from users where userName = ? """, + [(session["userName"])], + ) perpetrator = cursor.fetchone() - cursor.execute(f'delete from users where lower(userName) = "{userName.lower()}"') - cursor.execute(f"update sqlite_sequence set seq = seq-1") + cursor.execute( + """delete from users where lower(userName) = ? """, + [(userName.lower())], + ) + cursor.execute("update sqlite_sequence set seq = seq-1") connection.commit() message("2", f'USER: "{userName}" DELETED') match perpetrator[0] == "admin": @@ -48,8 +72,14 @@ def deleteUser(userName): def deleteComment(commentID): connection = sqlite3.connect(DB_COMMENTS_ROOT) cursor = connection.cursor() - cursor.execute(f"select user from comments where id = {commentID}") - cursor.execute(f"delete from comments where id = {commentID}") - cursor.execute(f"update sqlite_sequence set seq = seq-1") + cursor.execute( + """select user from comments where id = ? """, + [(commentID)], + ) + cursor.execute( + """delete from comments where id = ? """, + [(commentID)], + ) + cursor.execute("update sqlite_sequence set seq = seq-1") connection.commit() message("2", f'COMMENT: "{commentID}" DELETED') diff --git a/helpers.py b/helpers.py index 779f8278..765d126c 100644 --- a/helpers.py +++ b/helpers.py @@ -78,7 +78,8 @@ def addPoints(points, user): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'update users set points = points+{points} where userName = "{user}"' + """update users set points = points+? where userName = ? """, + [(points), (user)], ) connection.commit() message("2", f'{points} POINTS ADDED TO "{user}"') @@ -88,6 +89,7 @@ def getProfilePicture(userName): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select profilePicture from users where lower(userName) = "{userName.lower()}"' + """select profilePicture from users where lower(userName) = ? """, + [(userName.lower())], ) return cursor.fetchone()[0] diff --git a/routes/accountSettings.py b/routes/accountSettings.py index a12227d7..6b7d8107 100644 --- a/routes/accountSettings.py +++ b/routes/accountSettings.py @@ -19,7 +19,8 @@ def accountSettings(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select userName from users where userName = "{session["userName"]}"' + """select userName from users where userName = ? """, + [(session["userName"])], ) user = cursor.fetchall() if request.method == "POST": diff --git a/routes/adminPanel.py b/routes/adminPanel.py index e0497436..c8839346 100644 --- a/routes/adminPanel.py +++ b/routes/adminPanel.py @@ -17,7 +17,8 @@ def adminPanel(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select role from users where userName = "{session["userName"]}"' + """select role from users where userName = ? """, + [(session["userName"])], ) role = cursor.fetchone()[0] match role == "admin": diff --git a/routes/adminPanelComments.py b/routes/adminPanelComments.py index 137868d7..a0644b71 100644 --- a/routes/adminPanelComments.py +++ b/routes/adminPanelComments.py @@ -21,7 +21,8 @@ def adminPanelComments(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select role from users where userName = "{session["userName"]}"' + """select role from users where userName = ? """, + [(session["userName"])], ) role = cursor.fetchone()[0] if request.method == "POST": diff --git a/routes/adminPanelPosts.py b/routes/adminPanelPosts.py index 742f4d5c..60e0f5cc 100644 --- a/routes/adminPanelPosts.py +++ b/routes/adminPanelPosts.py @@ -21,7 +21,8 @@ def adminPanelPosts(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select role from users where userName = "{session["userName"]}"' + """select role from users where userName = ? """, + [(session["userName"])], ) role = cursor.fetchone()[0] if request.method == "POST": diff --git a/routes/adminPanelUsers.py b/routes/adminPanelUsers.py index f2166da2..083d25d1 100644 --- a/routes/adminPanelUsers.py +++ b/routes/adminPanelUsers.py @@ -20,7 +20,8 @@ def adminPanelUsers(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select role from users where userName = "{session["userName"]}"' + """select role from users where userName = ? """, + [(session["userName"])], ) role = cursor.fetchone()[0] if request.method == "POST": diff --git a/routes/changePassword.py b/routes/changePassword.py index 54c38738..8c1bf590 100644 --- a/routes/changePassword.py +++ b/routes/changePassword.py @@ -27,7 +27,8 @@ def changePassword(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select password from users where userName = "{session["userName"]}"' + """select password from users where userName = ? """, + [(session["userName"])], ) if sha256_crypt.verify(oldPassword, cursor.fetchone()[0]): if oldPassword == password: @@ -39,7 +40,8 @@ def changePassword(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'update users set password = "{newPassword}" where userName = "{session["userName"]}"' + """update users set password = ? where userName = ? """, + [(newPassword), (session["userName"])], ) connection.commit() message( diff --git a/routes/changeProfilePicture.py b/routes/changeProfilePicture.py index 377fa36c..074e2bac 100644 --- a/routes/changeProfilePicture.py +++ b/routes/changeProfilePicture.py @@ -25,7 +25,8 @@ def changeProfilePicture(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'update users set profilePicture = "{newProfilePicture}" where userName = "{session["userName"]}" ' + """update users set profilePicture = ? where userName = ? """, + [(newProfilePicture), (session["userName"])], ) connection.commit() message( diff --git a/routes/changeUserName.py b/routes/changeUserName.py index 73caa55e..3172b32f 100644 --- a/routes/changeUserName.py +++ b/routes/changeUserName.py @@ -27,7 +27,8 @@ def changeUserName(): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select userName from users where userName = "{newUserName}"' + """select userName from users where userName = ? """, + [(newUserName)], ) userNameCheck = cursor.fetchone() match newUserName.isascii(): @@ -39,19 +40,22 @@ def changeUserName(): match userNameCheck == None: case True: cursor.execute( - f'update users set userName = "{newUserName}" where userName = "{session["userName"]}" ' + """update users set userName = ? where userName = ? """, + [(newUserName), (session["userName"])], ) connection.commit() connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() cursor.execute( - f'update posts set Author = "{newUserName}" where author = "{session["userName"]}" ' + """update posts set Author = ? where author = ? """, + [(newUserName), (session["userName"])], ) connection.commit() connection = sqlite3.connect(DB_COMMENTS_ROOT) cursor = connection.cursor() cursor.execute( - f'update comments set user = "{newUserName}" where user = "{session["userName"]}" ' + """update comments set user = ? where user = ? """, + [(newUserName), (session["userName"])], ) connection.commit() message( diff --git a/routes/dashboard.py b/routes/dashboard.py index 71cc9689..da2546a4 100644 --- a/routes/dashboard.py +++ b/routes/dashboard.py @@ -24,13 +24,15 @@ def dashboard(userName): connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() cursor.execute( - f'select * from posts where author = "{session["userName"]}"' + """select * from posts where author = ? """, + [(session["userName"])], ) posts = cursor.fetchall() connection = sqlite3.connect(DB_COMMENTS_ROOT) cursor = connection.cursor() cursor.execute( - f'select * from comments where lower(user) = "{userName.lower()}"' + """select * from comments where lower(user) = ? """, + [(userName.lower())], ) if request.method == "POST": if "postDeleteButton" in request.form: diff --git a/routes/editPost.py b/routes/editPost.py index b667cedc..657c6958 100644 --- a/routes/editPost.py +++ b/routes/editPost.py @@ -23,19 +23,23 @@ def editPost(postID): case True: connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() - cursor.execute(f"select id from posts") + cursor.execute("select id from posts") posts = str(cursor.fetchall()) match str(postID) in posts: case True: connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() - cursor.execute(f"select * from posts where id = {postID}") + cursor.execute( + """select * from posts where id = ? """, + [(postID)], + ) post = cursor.fetchone() message("2", f'POST: "{postID}" FOUND') connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select userName from users where userName="{session["userName"]}"' + """select userName from users where userName = ? """, + [(session["userName"])], ) match post[4] == session["userName"]: case True: @@ -70,10 +74,12 @@ def editPost(postID): (postContent, post[0]), ) cursor.execute( - f'update posts set lastEditDate = "{currentDate()}" where id = {post[0]}' + """update posts set lastEditDate = ? where id = ? """, + [(currentDate()), (post[0])], ) cursor.execute( - f'update posts set lastEditTime = "{currentTime()}" where id = {post[0]}' + """update posts set lastEditTime = ? where id = ? """, + [(currentTime()), (post[0])], ) connection.commit() message("2", f'POST: "{postTitle}" EDITED') diff --git a/routes/login.py b/routes/login.py index 2ba7bb3e..631d1589 100644 --- a/routes/login.py +++ b/routes/login.py @@ -35,7 +35,8 @@ def login(direct): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select * from users where lower(userName) = "{userName.lower()}"' + """select * from users where lower(userName) = ? """, + [(userName.lower())], ) user = cursor.fetchone() if not user: diff --git a/routes/passwordReset.py b/routes/passwordReset.py index ea70ba88..9e04927e 100644 --- a/routes/passwordReset.py +++ b/routes/passwordReset.py @@ -36,7 +36,8 @@ def passwordReset(codeSent): match code == passwordResetCode: case True: cursor.execute( - f'select password from users where lower(userName) = "{userName.lower()}"' + """select password from users where lower(userName) = ? """, + [(userName.lower())], ) oldPassword = cursor.fetchone()[0] match password == passwordConfirm: @@ -50,7 +51,8 @@ def passwordReset(codeSent): case False: password = sha256_crypt.hash(password) cursor.execute( - f'update users set password = "{password}" where lower(userName) = "{userName.lower()}"' + """update users set password = ? where lower(userName) = ? """, + [(password), (userName.lower())], ) connection.commit() messageDebugging( @@ -75,11 +77,13 @@ def passwordReset(codeSent): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select * from users where lower(userName) = "{userName.lower()}"' + """select * from users where lower(userName) = ? """, + [(userName.lower())], ) userNameDB = cursor.fetchone() cursor.execute( - f'select * from users where lower(email) = "{email.lower()}"' + """select * from users where lower(email) = ? """, + [(email.lower())], ) emailDB = cursor.fetchone() match not userNameDB or not emailDB: diff --git a/routes/post.py b/routes/post.py index 7b8f2176..940bdf93 100644 --- a/routes/post.py +++ b/routes/post.py @@ -24,16 +24,22 @@ def post(postID): form = commentForm(request.form) connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() - cursor.execute(f"select id from posts") + cursor.execute("select id from posts") posts = str(cursor.fetchall()) match str(postID) in posts: case True: message("2", f'POST: "{postID}" FOUND') connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() - cursor.execute(f'select * from posts where id = "{postID}"') + cursor.execute( + """select * from posts where id = ? """, + [(postID)], + ) post = cursor.fetchone() - cursor.execute(f'update posts set views = views+1 where id = "{postID}"') + cursor.execute( + """update posts set views = views+1 where id = ? """, + [(postID)], + ) connection.commit() if request.method == "POST": if "postDeleteButton" in request.form: @@ -63,7 +69,10 @@ def post(postID): return redirect(f"/post/{postID}") connection = sqlite3.connect(DB_COMMENTS_ROOT) cursor = connection.cursor() - cursor.execute(f'select * from comments where post = "{postID}"') + cursor.execute( + """select * from comments where post = ? """, + [(postID)], + ) comments = cursor.fetchall() return render_template( "post.html", diff --git a/routes/search.py b/routes/search.py index 90f90feb..1ba8fc29 100644 --- a/routes/search.py +++ b/routes/search.py @@ -16,30 +16,54 @@ def search(query): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() queryUsers = cursor.execute( - f"select * from users where userName like '%{query}%'" + """select * from users where userName like ? """, + [ + ("%" + query + "%"), + ], ).fetchall() queryUsers = cursor.execute( - f"select * from users where userName like '%{queryNoWhiteSpace}%'" + """select * from users where userName like ? """, + [ + ("%" + queryNoWhiteSpace + "%"), + ], ).fetchall() connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() queryTags = cursor.execute( - f"select * from posts where tags like '%{query}%'" + """select * from posts where tags like ? """, + [ + ("%" + query + "%"), + ], ).fetchall() queryTitles = cursor.execute( - f"select * from posts where title like '%{query}%'" + """select * from posts where title like ? """, + [ + ("%" + query + "%"), + ], ).fetchall() queryAuthors = cursor.execute( - f"select * from posts where author like '%{query}%'" + """select * from posts where author like ? """, + [ + ("%" + query + "%"), + ], ).fetchall() queryTags = cursor.execute( - f"select * from posts where tags like '%{queryNoWhiteSpace}%'" + """select * from posts where tags like ? """, + [ + ("%" + queryNoWhiteSpace + "%"), + ], ).fetchall() queryTitles = cursor.execute( - f"select * from posts where title like '%{queryNoWhiteSpace}%'" + """select * from posts where title like ? """, + [ + ("%" + queryNoWhiteSpace + "%"), + ], ).fetchall() queryAuthors = cursor.execute( - f"select * from posts where author like '%{queryNoWhiteSpace}%'" + """select * from posts where author like ? """, + [ + ("%" + queryNoWhiteSpace + "%"), + ], ).fetchall() posts = [] users = [] @@ -65,7 +89,10 @@ def search(query): resultsID.append(post[0]) posts = [] for postID in resultsID: - cursor.execute(f"select * from posts where id = {postID}") + cursor.execute( + """select * from posts where id = ? """, + [(postID)], + ) posts.append(cursor.fetchall()) return render_template( "search.html", diff --git a/routes/setUserRole.py b/routes/setUserRole.py index e60c550b..3de8256f 100644 --- a/routes/setUserRole.py +++ b/routes/setUserRole.py @@ -10,13 +10,15 @@ def setUserRole(userName, newRole): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select role from users where userName = "{session["userName"]}"' + """select role from users where userName = ? """, + [(session["userName"])], ) role = cursor.fetchone()[0] match role == "admin": case True: cursor.execute( - f'update users set role = "{newRole}" where lower(userName) = "{userName.lower()}" ' + """update users set role = ? where lower(userName) = ? """, + [(newRole), (userName.lower())], ) connection.commit() message( diff --git a/routes/signup.py b/routes/signup.py index c798fdef..18a1722e 100644 --- a/routes/signup.py +++ b/routes/signup.py @@ -50,13 +50,20 @@ def signup(): cursor = connection.cursor() cursor.execute( f""" - insert into users(userName,email,password,profilePicture,role,points,creationDate,creationTime,isVerified) - values("{userName}","{email}","{password}", - "https://api.dicebear.com/7.x/identicon/svg?seed={userName}&radius=10", - "user",0, - "{currentDate()}", - "{currentTime()}","False") - """ + insert into users(userName,email,password,profilePicture,role,points,creationDate,creationTime,isVerified) \ + values(?, ?, ?, ?, ?, ?, ?, ?, ?) + """, + ( + userName, + email, + password, + f"https://api.dicebear.com/7.x/identicon/svg?seed={userName}&radius=10", + "user", + 0, + currentDate(), + currentTime(), + "False", + ), ) connection.commit() message( diff --git a/routes/user.py b/routes/user.py index 6c1f4d69..9bb523d4 100644 --- a/routes/user.py +++ b/routes/user.py @@ -21,14 +21,14 @@ def user(userName): case True: message("2", f'USER: "{userName}" FOUND') cursor.execute( - """select * from users where lower(userName) = ?""", + """select * from users where lower(userName) = ? """, [(userName)], ) user = cursor.fetchone() connection = sqlite3.connect(DB_POSTS_ROOT) cursor = connection.cursor() cursor.execute( - """select views from posts where author = ?""", + """select views from posts where author = ? """, [(user[1])], ) viewsData = cursor.fetchall() @@ -36,14 +36,14 @@ def user(userName): for view in viewsData: views += int(view[0]) cursor.execute( - """select * from posts where author = ?""", + """select * from posts where author = ? """, [(user[1])], ) posts = cursor.fetchall() connection = sqlite3.connect(DB_COMMENTS_ROOT) cursor = connection.cursor() cursor.execute( - """select * from comments where lower(user) = ?""", + """select * from comments where lower(user) = ? """, [(userName.lower())], ) comments = cursor.fetchall() diff --git a/routes/verifyUser.py b/routes/verifyUser.py index 8d026e76..1fa6d003 100644 --- a/routes/verifyUser.py +++ b/routes/verifyUser.py @@ -26,7 +26,8 @@ def verifyUser(codeSent): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select isVerified from users where lower(username) = "{userName.lower()}"' + """select isVerified from users where lower(username) = ? """, + [(userName.lower())], ) isVerfied = cursor.fetchone()[0] match isVerfied: @@ -42,7 +43,8 @@ def verifyUser(codeSent): match code == verificationCode: case True: cursor.execute( - f'update users set isVerified = "True" where lower(userName) = "{userName.lower()}"' + """update users set isVerified = "True" where lower(userName) = ? """, + [(userName.lower())], ) connection.commit() messageDebugging( @@ -64,11 +66,13 @@ def verifyUser(codeSent): connection = sqlite3.connect(DB_USERS_ROOT) cursor = connection.cursor() cursor.execute( - f'select * from users where lower(userName) = "{userName.lower()}"' + """select * from users where lower(userName) = ? """, + [(userName.lower())], ) userNameDB = cursor.fetchone() cursor.execute( - f'select email from users where lower(username) = "{userName.lower()}"' + """select email from users where lower(username) = ? """, + [(userName.lower())], ) email = cursor.fetchone() match not userNameDB: