Replaced fuzzy DB queries with parameterized queries

Removed cases where string formatting was used for preparing SQL queries (vulnerable to SQL Injection) and replaced them with parameterization.
dev
Peery 3 years ago
parent a8dcbcc386
commit 2764fef612

@ -454,8 +454,9 @@ class DBAdapter:
if all_if_empty and (name is None or len(name) == 0) and (domain is None or len(domain) == 0):
self.db_cursor.execute("SELECT name, domain, artist_id FROM presence")
else:
self.db_cursor.execute("SELECT name, domain, artist_id FROM presence WHERE LOWER(name) LIKE LOWER('%{0}%')".format(name) +
" AND domain LIKE '%{0}%'".format(domain))
d = {"name":"%"+name+"%", "domain": "%"+domain+"%"}
self.db_cursor.execute("SELECT name, domain, artist_id FROM presence WHERE LOWER(name) LIKE "
"LOWER(%(name)s) AND domain LIKE %(domain)s", d)
rows = self.db_cursor.fetchall()
result = []
@ -495,7 +496,8 @@ class DBAdapter:
:param search:
:return:
"""
self.db_cursor.execute("SELECT name FROM tag_category WHERE LOWER(name) LIKE LOWER('%{0}%')".format(search))
d = {"search": "%"+search+"%"}
self.db_cursor.execute("SELECT name FROM tag_category WHERE LOWER(name) LIKE LOWER(%(search)s)", d)
rows = []
for row in self.db_cursor.fetchall():
@ -513,7 +515,8 @@ class DBAdapter:
if all_if_empty and len(name) == 0:
self.db_cursor.execute("SELECT name, description, category_id FROM tag")
else:
self.db_cursor.execute("SELECT name, description, category_id FROM tag WHERE LOWER(name) LIKE LOWER('%{0}%')".format(name))
d = {"name": "%"+name+"%"}
self.db_cursor.execute("SELECT name, description, category_id FROM tag WHERE LOWER(name) LIKE LOWER(%(name)s)", d)
rows = self.db_cursor.fetchall()
new_rows = []
@ -544,8 +547,8 @@ class DBAdapter:
elif all_if_empty and ID is None and len(name) == 0:
self.db_cursor.execute("SELECT id, name FROM artist")
else:
self.db_cursor.execute("SELECT id, name FROM artist WHERE LOWER(name) LIKE LOWER('%{0}%')"
.format(name))
d = {"name": "%"+name+"%"}
self.db_cursor.execute("SELECT id, name FROM artist WHERE LOWER(name) LIKE LOWER(%(name)s)", d)
return self.db_cursor.fetchall()

Loading…
Cancel
Save