sindre
/
Beelance
Следить 1
В избранное 0
Форкнуть 0
Код Задачи 6 Pull Request'ы 0 Релизы 0 Вики Активность
Метки Этапы
Новый Pull Request

#30 Update SQL library, and prevent SQL injection

Слито
sindre слито 2 коммит(ов) из sql-injection в master 5 лет назад
Обсуждение 0 Коммиты 2 Измененные файлы 5
5 измененных файлов: 69 добавлений и 68 удалений
Пробелы
Показать все изменения Игнорировать пробелы при сравнении строк Игнорировать изменения количества пробелов Игнорировать изменения в пробельных символах на концах строк
Разделённый вид
Опции Diff
Показать статистику Скачать Patch файл Скачать Diff файл
  1. +4
    -5
      src/app/models/database.py
  2. +49
    -48
      src/app/models/project.py
  3. +4
    -6
      src/app/models/register.py
  4. +11
    -8
      src/app/models/user.py
  5. +1
    -1
      src/app/requirements.txt

+ 4
- 5
src/app/models/database.py Просмотреть файл

@@ -5,15 +5,14 @@ import os
groupid = os.getenv("groupid").lstrip("0")

"""
Connect the webserver to the database using the python mysql connecter.
Change the host address depending on where the mysql server is running. To connect to the
Connect the webserver to the database using the python mysql connecter.
Change the host address depending on where the mysql server is running. To connect to the
preconfigured docker container address use the Docker address. The default port is 3306.
"""
db = mysql.connector.connect(
user='root',
user='root',
password='root',
host='10.' + groupid + '.0.5', # Docker address
#host='0.0.0.0', # Local address
# host='0.0.0.0', # Local address
database='db'
)

+ 49
- 48
src/app/models/project.py Просмотреть файл

@@ -35,19 +35,17 @@ def set_project(categoryid, userid, project_title, project_description, project_
:type categoryid: str
:type userid: str
:type project_title: str
:type project_description: str
:type project_description: str
:type project_status: str
:return: The id of the new project
"""
db.connect()
cursor = db.cursor()
query = ("INSERT INTO projects VALUES (NULL, \"" +
categoryid + "\", \"" + userid + "\", \"" + project_title + "\", \"" +
project_description + "\", \"" + project_status + "\")")
query = ("INSERT INTO projects VALUES (NULL, %s, %s, %s, %s, %s)")
try:
cursor.execute(query)
cursor.execute(query, (categoryid, userid, project_title, project_description, project_status))
db.commit()
users_projects = get_projects_by_owner(userid)
users_projects = get_projects_by_owner(userid)
projectid = users_projects[-1][0]
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -69,9 +67,9 @@ def get_project_by_id(projectid):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT * FROM projects WHERE projectid = \"" + projectid + "\"")
query = ("SELECT * FROM projects WHERE projectid = %s")
try:
cursor.execute(query)
cursor.execute(query, (projectid,))
project = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -93,10 +91,9 @@ def update_project_status(projectid, status):
"""
db.connect()
cursor = db.cursor()
query = ("UPDATE projects SET project_status = \"" + status +
"\" WHERE projectid = \"" + projectid + "\"")
query = ("UPDATE projects SET project_status = %s WHERE projectid = %s")
try:
cursor.execute(query)
cursor.execute(query, (status, projectid))
db.commit()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -118,10 +115,9 @@ def get_user_permissions(userid, projectid):
db.connect()
cursor = db.cursor()
query = ("SELECT read_permission, write_permission, modify_permission \
FROM projects_users WHERE projectid = \"" + projectid +
"\" AND userid = \"" + userid + "\"")
FROM projects_users WHERE projectid = %s AND userid = %s")
try:
cursor.execute(query)
cursor.execute(query, (projectid, userid))
permissions = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -130,9 +126,12 @@ def get_user_permissions(userid, projectid):
finally:
cursor.close()
db.close()

if len(permissions):
return permissions[0]
return [0,0,0]

return [0, 0, 0]


def get_projects_by_status_and_category(categoryid, project_status):
"""
@@ -146,10 +145,9 @@ def get_projects_by_status_and_category(categoryid, project_status):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT * FROM projects WHERE project_status = \"" +
project_status + "\" AND categoryid = \"" + categoryid + "\"")
query = ("SELECT * FROM projects WHERE project_status = %s AND categoryid = %s")
try:
cursor.execute(query)
cursor.execute(query, (project_status, categoryid))
projects = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -161,6 +159,7 @@ def get_projects_by_status_and_category(categoryid, project_status):
db.close()
return projects


def get_projects_by_owner(userid):
"""
Retrieve all projects created by a specific user
@@ -170,9 +169,9 @@ def get_projects_by_owner(userid):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT * FROM projects WHERE userid = \"" + userid + "\"")
query = ("SELECT * FROM projects WHERE userid = %s")
try:
cursor.execute(query)
cursor.execute(query, (userid,))
projects = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -182,8 +181,10 @@ def get_projects_by_owner(userid):
finally:
cursor.close()
db.close()

return projects


def get_projects_by_status_and_owner(userid, project_status):
"""
Retrieve all projects owned by a user with a specific status
@@ -196,10 +197,9 @@ def get_projects_by_status_and_owner(userid, project_status):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT * FROM projects WHERE project_status = \"" +
project_status + "\" AND userid = \"" + userid + "\"")
query = ("SELECT * FROM projects WHERE project_status = %s AND userid = %s")
try:
cursor.execute(query)
cursor.execute(query, (project_status, userid))
projects = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -211,6 +211,7 @@ def get_projects_by_status_and_owner(userid, project_status):
db.close()
return projects


def get_projects_by_participant_and_status(userid, project_status):
"""
Retrieve all projects where the user is a participant with specific status
@@ -223,12 +224,11 @@ def get_projects_by_participant_and_status(userid, project_status):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT * FROM projects, projects_users WHERE projects.project_status = \"" +
project_status + "\" AND projects_users.userid = \"" + userid +
"\" AND projects_users.projectid = projects.projectid")
query = ("SELECT * FROM projects, projects_users WHERE projects.project_status = %s AND " +
"projects_users.userid = %s AND projects_users.projectid = projects.projectid")
db.connect()
try:
cursor.execute(query)
cursor.execute(query, (project_status, userid))
projects = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -240,6 +240,7 @@ def get_projects_by_participant_and_status(userid, project_status):
db.close()
return projects


def set_task(projectid, task_title, task_description, budget):
"""
Create a task
@@ -255,11 +256,10 @@ def set_task(projectid, task_title, task_description, budget):
"""
db.connect()
cursor = db.cursor()
query = ("INSERT INTO tasks (projectid, title, task_description, budget, task_status) VALUES (\"" +
projectid + "\", \"" + task_title + "\", \"" +
task_description + "\", \"" + budget + "\", \"waiting for delivery\")")
query = ("INSERT INTO tasks (projectid, title, task_description, budget, task_status) " +
"VALUES (%s, %s, %s, %s, \"waiting for delivery\")")
try:
cursor.execute(query)
cursor.execute(query, (projectid, task_title, task_description, budget))
db.commit()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -268,14 +268,14 @@ def set_task(projectid, task_title, task_description, budget):
finally:
cursor.close()
db.close()


def update_task_status(taskid, status):
db.connect()
cursor = db.cursor()
query = ("UPDATE tasks SET task_status = \"" + status +
"\" WHERE taskid = \"" + taskid + "\"")
query = ("UPDATE tasks SET task_status = %s WHERE taskid = %s")
try:
cursor.execute(query)
cursor.execute(query, (status, taskid))
db.commit()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -285,6 +285,7 @@ def update_task_status(taskid, status):
cursor.close()
db.close()


def get_tasks_by_project_id(projectid):
"""
Get all tasks belonging to a project
@@ -295,9 +296,9 @@ def get_tasks_by_project_id(projectid):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT * FROM tasks WHERE projectid = \"" + projectid + "\"")
query = ("SELECT * FROM tasks WHERE projectid = %s")
try:
cursor.execute(query)
cursor.execute(query, (projectid,))
tasks = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -309,6 +310,7 @@ def get_tasks_by_project_id(projectid):
db.close()
return tasks


def set_task_file(taskid, filename):
"""
Register a new task - file relationship
@@ -320,10 +322,9 @@ def set_task_file(taskid, filename):
"""
db.connect()
cursor = db.cursor()
query = ("INSERT INTO task_files (taskid, filename) VALUES (\"" +
taskid + "\", \"" + filename + "\")")
query = ("INSERT INTO task_files (taskid, filename) VALUES (%s, %s)")
try:
cursor.execute(query)
cursor.execute(query, (taskid, filename))
db.commit()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -333,6 +334,7 @@ def set_task_file(taskid, filename):
cursor.close()
db.close()


def get_task_files(taskid):
"""
Retrieve all filenames registered in a task
@@ -342,9 +344,9 @@ def get_task_files(taskid):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT filename FROM task_files WHERE taskid = \"" + str(taskid) + "\"")
query = ("SELECT filename FROM task_files WHERE taskid = %s")
try:
cursor.execute(query)
cursor.execute(query, (str(taskid),))
filenames = cursor.fetchall()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))
@@ -356,8 +358,9 @@ def get_task_files(taskid):
db.close()
return filenames

def set_projects_user(projectid, userid, read_permission="TRUE",
write_permission="NULL", modify_permission="NULL"):

def set_projects_user(projectid, userid, read_permission="TRUE",
write_permission="NULL", modify_permission="NULL"):
"""
Add a user to a project with specific permissions
:param projectid: The project id
@@ -372,11 +375,9 @@ def set_projects_user(projectid, userid, read_permission="TRUE",
"""
db.connect()
cursor = db.cursor()
query = ("INSERT INTO projects_users VALUES (\"" + projectid + "\", \"" +
userid + "\", " + read_permission + ", " +
write_permission + ", " + modify_permission + ")")
query = ("INSERT INTO projects_users VALUES (%s, %s, %s, %s, %s)")
try:
cursor.execute(query)
cursor.execute(query, (projectid, userid, read_permission, write_permission, modify_permission))
db.commit()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))


+ 4
- 6
src/app/models/register.py Просмотреть файл

@@ -1,7 +1,7 @@
from models.database import db
import mysql.connector

def set_user(username, password, full_name, company, email,
def set_user(username, password, full_name, company, email,
street_address, city, state, postal_code, country):
"""
Register a new user in the database
@@ -28,12 +28,10 @@ def set_user(username, password, full_name, company, email,
"""
db.connect()
cursor = db.cursor()
query = ("INSERT INTO users VALUES (NULL, \"" + username + "\", \"" +
password + "\", \"" + full_name + "\" , \"" + company + "\", \"" +
email + "\", \"" + street_address + "\", \"" + city + "\", \"" +
state + "\", \"" + postal_code + "\", \"" + country + "\")")
query = ("INSERT INTO users VALUES (NULL, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)")
try:
cursor.execute(query)
cursor.execute(query, (username, password, full_name, company, email, street_address,
city, state, postal_code, country))
db.commit()
except mysql.connector.Error as err:
print("Failed executing query: {}".format(err))


+ 11
- 8
src/app/models/user.py Просмотреть файл

@@ -1,6 +1,7 @@
from models.database import db
import mysql.connector


def get_users():
"""
Retreive all registrered users from the database
@@ -22,6 +23,7 @@ def get_users():
db.close()
return users


def get_user_id_by_name(username):
"""
Get the id of the unique username
@@ -30,11 +32,11 @@ def get_user_id_by_name(username):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT userid from users WHERE username =\"" + username + "\"")
query = ("SELECT userid from users WHERE username = %s")
userid = None
try:
cursor.execute(query)
cursor.execute(query, (username,))
users = cursor.fetchall()
if(len(users)):
userid = users[0][0]
@@ -47,6 +49,7 @@ def get_user_id_by_name(username):
db.close()
return userid


def get_user_name_by_id(userid):
"""
Get username from user id
@@ -55,10 +58,10 @@ def get_user_name_by_id(userid):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT username from users WHERE userid =\"" + userid + "\"")
query = ("SELECT username from users WHERE userid = %s")
username = None
try:
cursor.execute(query)
cursor.execute(query, (userid,))
users = cursor.fetchall()
if len(users):
username = users[0][0]
@@ -71,6 +74,7 @@ def get_user_name_by_id(userid):
db.close()
return username


def match_user(username, password):
"""
Check if user credentials are correct, return if exists
@@ -83,11 +87,10 @@ def match_user(username, password):
"""
db.connect()
cursor = db.cursor()
query = ("SELECT userid, username from users where username = \"" + username +
"\" and password = \"" + password + "\"")
query = ("SELECT userid, username from users where username = %s and password = %s")
user = None
try:
cursor.execute(query)
cursor.execute(query, (username, password))
users = cursor.fetchall()
if len(users):
user = users[0]


+ 1
- 1
src/app/requirements.txt Просмотреть файл

@@ -1,3 +1,3 @@
web.py==0.40
mysql-connector==2.2.9
mysql-connector-python==8.0.*
python-dotenv

Редактирование Предпросмотр
Загрузка…
Отмена
Сохранить