fix code injection in queries

2021-05-05 10:30:10 +05:30 · 2021-05-05 10:30:10 +05:30 · b21c82ccd0
commit b21c82ccd0
parent b9e5409300
1 changed files with 7 additions and 7 deletions
--- a/appservice/db.py
+++ b/appservice/db.py
@ -54,29 +54,29 @@ class DataBase(object):

        with self.lock:
            self.cur.execute(
-                "INSERT INTO bridge (room_id, channel_id) "
-                f"VALUES ('{room_id}', '{channel_id}')"
+                "INSERT INTO bridge (room_id, channel_id) VALUES (?, ?)",
+                [room_id, channel_id],
            )
            self.conn.commit()

    def add_user(self, mxid: str) -> None:
        with self.lock:
-            self.cur.execute(f"INSERT INTO users (mxid) VALUES ('{mxid}')")
+            self.cur.execute("INSERT INTO users (mxid) VALUES (?)", [mxid])
            self.conn.commit()

    def add_avatar(self, avatar_url: str, mxid: str) -> None:
        with self.lock:
            self.cur.execute(
-                f"UPDATE users SET avatar_url = '{avatar_url}'"
-                f"WHERE mxid = '{mxid}'"
+                "UPDATE users SET avatar_url = (?) WHERE mxid = (?)",
+                [avatar_url, mxid],
            )
            self.conn.commit()

    def add_username(self, username: str, mxid: str) -> None:
        with self.lock:
            self.cur.execute(
-                f"UPDATE users SET username = '{username}'"
-                f"WHERE mxid = '{mxid}'"
+                "UPDATE users SET username = (?) WHERE mxid = (?)",
+                [username, mxid],
            )
            self.conn.commit()