pandro
/
ArtNet-Desktop
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Replaced fuzzy DB queries with parameterized queries

Browse Source 
Removed cases where string formatting was used for preparing SQL queries (vulnerable to SQL Injection) and replaced them with parameterization.
dev
Peery 2 years ago
parent a8dcbcc386
commit 2764fef612
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File

15
ArtNet/db/db_adapter.py
Unescape Escape View File

@ -454,8 +454,9 @@ class DBAdapter:
if all_if_empty and (name is None or len(name) == 0) and (domain is None or len(domain) == 0):
self.db_cursor.execute("SELECT name, domain, artist_id FROM presence")
else:
self.db_cursor.execute("SELECT name, domain, artist_id FROM presence WHERE LOWER(name) LIKE LOWER('%{0}%')".format(name) +
" AND domain LIKE '%{0}%'".format(domain))
d = {"name":"%"+name+"%", "domain": "%"+domain+"%"}
self.db_cursor.execute("SELECT name, domain, artist_id FROM presence WHERE LOWER(name) LIKE "
"LOWER(%(name)s) AND domain LIKE %(domain)s", d)
rows = self.db_cursor.fetchall()
result = []
@ -495,7 +496,8 @@ class DBAdapter:
:param search:
:return:
"""
self.db_cursor.execute("SELECT name FROM tag_category WHERE LOWER(name) LIKE LOWER('%{0}%')".format(search))
d = {"search": "%"+search+"%"}
self.db_cursor.execute("SELECT name FROM tag_category WHERE LOWER(name) LIKE LOWER(%(search)s)", d)
rows = []
for row in self.db_cursor.fetchall():
@ -513,7 +515,8 @@ class DBAdapter:
if all_if_empty and len(name) == 0:
self.db_cursor.execute("SELECT name, description, category_id FROM tag")
else:
self.db_cursor.execute("SELECT name, description, category_id FROM tag WHERE LOWER(name) LIKE LOWER('%{0}%')".format(name))
d = {"name": "%"+name+"%"}
self.db_cursor.execute("SELECT name, description, category_id FROM tag WHERE LOWER(name) LIKE LOWER(%(name)s)", d)
rows = self.db_cursor.fetchall()
new_rows = []
@ -544,8 +547,8 @@ class DBAdapter:
elif all_if_empty and ID is None and len(name) == 0:
self.db_cursor.execute("SELECT id, name FROM artist")
else:
self.db_cursor.execute("SELECT id, name FROM artist WHERE LOWER(name) LIKE LOWER('%{0}%')"
.format(name))
d = {"name": "%"+name+"%"}
self.db_cursor.execute("SELECT id, name FROM artist WHERE LOWER(name) LIKE LOWER(%(name)s)", d)
return self.db_cursor.fetchall()

Write Preview
Loading…
Cancel
Save