fix code injection in queries

This commit is contained in:
git-bruh 2021-05-05 10:30:10 +05:30
parent b9e5409300
commit b21c82ccd0
No known key found for this signature in database
GPG key ID: E1475C50075ADCE6

View file

@ -54,29 +54,29 @@ class DataBase(object):
with self.lock: with self.lock:
self.cur.execute( self.cur.execute(
"INSERT INTO bridge (room_id, channel_id) " "INSERT INTO bridge (room_id, channel_id) VALUES (?, ?)",
f"VALUES ('{room_id}', '{channel_id}')" [room_id, channel_id],
) )
self.conn.commit() self.conn.commit()
def add_user(self, mxid: str) -> None: def add_user(self, mxid: str) -> None:
with self.lock: with self.lock:
self.cur.execute(f"INSERT INTO users (mxid) VALUES ('{mxid}')") self.cur.execute("INSERT INTO users (mxid) VALUES (?)", [mxid])
self.conn.commit() self.conn.commit()
def add_avatar(self, avatar_url: str, mxid: str) -> None: def add_avatar(self, avatar_url: str, mxid: str) -> None:
with self.lock: with self.lock:
self.cur.execute( self.cur.execute(
f"UPDATE users SET avatar_url = '{avatar_url}'" "UPDATE users SET avatar_url = (?) WHERE mxid = (?)",
f"WHERE mxid = '{mxid}'" [avatar_url, mxid],
) )
self.conn.commit() self.conn.commit()
def add_username(self, username: str, mxid: str) -> None: def add_username(self, username: str, mxid: str) -> None:
with self.lock: with self.lock:
self.cur.execute( self.cur.execute(
f"UPDATE users SET username = '{username}'" "UPDATE users SET username = (?) WHERE mxid = (?)",
f"WHERE mxid = '{mxid}'" [username, mxid],
) )
self.conn.commit() self.conn.commit()