From 016d5a63ee4b14e6ec2942d5389adaee239e7bab Mon Sep 17 00:00:00 2001
From: jakobsn <jakob_sn_@hotmail.com>
Date: Tue, 28 Jan 2020 13:44:23 +0100
Subject: [PATCH] Error handling to prevent database from crashing on too easy
 on sql injections

---
 src/app/models/project.py  | 27 ++++++++++++++++++++++++---
 src/app/models/register.py |  1 +
 src/app/models/user.py     | 29 ++++++++++++++++++++---------
 3 files changed, 45 insertions(+), 12 deletions(-)

diff --git a/src/app/models/project.py b/src/app/models/project.py
index 43eb3cd..e23fb65 100644
--- a/src/app/models/project.py
+++ b/src/app/models/project.py
@@ -16,6 +16,7 @@ def get_categories():
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         categories = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -51,6 +52,7 @@ def set_project(categoryid, userid, project_title, project_description, project_
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         projectid = None
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -74,6 +76,7 @@ def get_project_by_id(projectid):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         project = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -97,6 +100,7 @@ def update_project_status(projectid, status):
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -121,6 +125,7 @@ def get_user_permissions(userid, projectid):
         permissions = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -149,6 +154,7 @@ def get_projects_by_status_and_category(categoryid, project_status):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         projects = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -171,6 +177,7 @@ def get_projects_by_owner(userid):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         projects = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -197,6 +204,7 @@ def get_projects_by_status_and_owner(userid, project_status):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         projects = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -225,6 +233,7 @@ def get_projects_by_participant_and_status(userid, project_status):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         projects = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -254,6 +263,7 @@ def set_task(projectid, task_title, task_description, budget):
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -264,9 +274,16 @@ def update_task_status(taskid, status):
     cursor = db.cursor()
     query = ("UPDATE tasks SET task_status = \"" + status + 
         "\" WHERE taskid = \"" + taskid + "\"")
-    cursor.execute(query)
-    db.commit()
-    cursor.close()
+    try:
+        cursor.execute(query)
+        db.commit()
+    except:
+        print("Failed executing query: {}".format(err))
+        cursor.fetchall()
+        exit(1)
+    finally:
+        cursor.close()
+        db.close()
 
 def get_tasks_by_project_id(projectid):
     """
@@ -285,6 +302,7 @@ def get_tasks_by_project_id(projectid):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         tasks = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -309,6 +327,7 @@ def set_task_file(taskid, filename):
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -330,6 +349,7 @@ def get_task_files(taskid):
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         filenames = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -360,6 +380,7 @@ def set_projects_user(projectid, userid, read_permission="TRUE",
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
diff --git a/src/app/models/register.py b/src/app/models/register.py
index 39bccda..63fb8c9 100644
--- a/src/app/models/register.py
+++ b/src/app/models/register.py
@@ -37,6 +37,7 @@ def set_user(username, password, full_name, company, email,
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
diff --git a/src/app/models/user.py b/src/app/models/user.py
index 2ad3df9..0ba3839 100644
--- a/src/app/models/user.py
+++ b/src/app/models/user.py
@@ -15,6 +15,7 @@ def get_users():
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
         users = []
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -30,12 +31,16 @@ def get_user_id_by_name(username):
     db.connect()
     cursor = db.cursor()
     query = ("SELECT userid from users WHERE username =\"" + username + "\"")
-    cursor.execute(query)
+    
+    userid = None
     try:
-        userid = cursor.fetchall()[0][0]
+        cursor.execute(query)
+        users = cursor.fetchall()
+        if(len(users)):
+            userid = users[0][0]
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
-        userid = None
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -51,12 +56,15 @@ def get_user_name_by_id(userid):
     db.connect()
     cursor = db.cursor()
     query = ("SELECT username from users WHERE userid =\"" + userid + "\"")
-    cursor.execute(query)
+    username = None
     try:
-        username = cursor.fetchall()[0][0]
+        cursor.execute(query)
+        users = cursor.fetchall()
+        if len(users):
+            username = users[0][0]
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
-        username = None
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()
@@ -78,12 +86,15 @@ def match_user(username, password):
     cursor = db.cursor()
     query = ("SELECT userid, username from users where username = \"" + username + 
             "\" and password = \"" + password + "\"")
-    cursor.execute(query)
+    user = None
     try:
-        user = cursor.fetchall()[0]
+        cursor.execute(query)
+        users = cursor.fetchall()
+        if len(users):
+            user = users[0]
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
-        user = None
+        cursor.fetchall()
         exit(1)
     finally:
         cursor.close()