fix code injection in queries

This commit is contained in:
git-bruh 2021-05-05 10:30:10 +05:30
parent b9e5409300
commit b21c82ccd0
No known key found for this signature in database
GPG key ID: E1475C50075ADCE6

View file

@ -54,29 +54,29 @@ class DataBase(object):
with self.lock:
self.cur.execute(
"INSERT INTO bridge (room_id, channel_id) "
f"VALUES ('{room_id}', '{channel_id}')"
"INSERT INTO bridge (room_id, channel_id) VALUES (?, ?)",
[room_id, channel_id],
)
self.conn.commit()
def add_user(self, mxid: str) -> None:
with self.lock:
self.cur.execute(f"INSERT INTO users (mxid) VALUES ('{mxid}')")
self.cur.execute("INSERT INTO users (mxid) VALUES (?)", [mxid])
self.conn.commit()
def add_avatar(self, avatar_url: str, mxid: str) -> None:
with self.lock:
self.cur.execute(
f"UPDATE users SET avatar_url = '{avatar_url}'"
f"WHERE mxid = '{mxid}'"
"UPDATE users SET avatar_url = (?) WHERE mxid = (?)",
[avatar_url, mxid],
)
self.conn.commit()
def add_username(self, username: str, mxid: str) -> None:
with self.lock:
self.cur.execute(
f"UPDATE users SET username = '{username}'"
f"WHERE mxid = '{mxid}'"
"UPDATE users SET username = (?) WHERE mxid = (?)",
[username, mxid],
)
self.conn.commit()