sindre
/
Beelance
關注 1
收藏 0
複製 0
程式碼 問題 6 合併請求 0 版本發佈 0 Wiki 活動
標籤 里程碑
建立合併請求

#30 Update SQL library, and prevent SQL injection

已合併
sindre 5 年之前 將 2 次代碼提交從 sql-injection合併至 master
對話內容 0 程式碼提交 2 檔案變動 5
共有 5 個檔案被更改,包括 57 行新增56 行删除
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
統一視圖
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -1
      src/app/models/database.py
  2. +43
    -42
      src/app/models/project.py
  3. +3
    -5
      src/app/models/register.py
  4. +10
    -7
      src/app/models/user.py
  5. +1
    -1
      src/app/requirements.txt

+ 0
- 1
src/app/models/database.py 查看文件

@@ -16,4 +16,3 @@ db = mysql.connector.connect(
# host='0.0.0.0', # Local address # host='0.0.0.0', # Local address
database='db' database='db'
) )

+ 43
- 42
src/app/models/project.py 查看文件

@@ -41,11 +41,9 @@ def set_project(categoryid, userid, project_title, project_description, project_
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("INSERT INTO projects VALUES (NULL, \"" +
categoryid + "\", \"" + userid + "\", \"" + project_title + "\", \"" +
project_description + "\", \"" + project_status + "\")")
query = ("INSERT INTO projects VALUES (NULL, %s, %s, %s, %s, %s)")
try: try:
cursor.execute(query)
cursor.execute(query, (categoryid, userid, project_title, project_description, project_status))
db.commit() db.commit()
users_projects = get_projects_by_owner(userid) users_projects = get_projects_by_owner(userid)
projectid = users_projects[-1][0] projectid = users_projects[-1][0]
@@ -69,9 +67,9 @@ def get_project_by_id(projectid):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT * FROM projects WHERE projectid = \"" + projectid + "\"")
query = ("SELECT * FROM projects WHERE projectid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (projectid,))
project = cursor.fetchall() project = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -93,10 +91,9 @@ def update_project_status(projectid, status):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("UPDATE projects SET project_status = \"" + status +
"\" WHERE projectid = \"" + projectid + "\"")
query = ("UPDATE projects SET project_status = %s WHERE projectid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (status, projectid))
db.commit() db.commit()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -118,10 +115,9 @@ def get_user_permissions(userid, projectid):
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT read_permission, write_permission, modify_permission \ query = ("SELECT read_permission, write_permission, modify_permission \
FROM projects_users WHERE projectid = \"" + projectid +
"\" AND userid = \"" + userid + "\"")
FROM projects_users WHERE projectid = %s AND userid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (projectid, userid))
permissions = cursor.fetchall() permissions = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -130,10 +126,13 @@ def get_user_permissions(userid, projectid):
finally: finally:
cursor.close() cursor.close()
db.close() db.close()

if len(permissions): if len(permissions):
return permissions[0] return permissions[0]

return [0, 0, 0] return [0, 0, 0]



def get_projects_by_status_and_category(categoryid, project_status): def get_projects_by_status_and_category(categoryid, project_status):
""" """
Retrieve all projects from a category with a specific status Retrieve all projects from a category with a specific status
@@ -146,10 +145,9 @@ def get_projects_by_status_and_category(categoryid, project_status):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT * FROM projects WHERE project_status = \"" +
project_status + "\" AND categoryid = \"" + categoryid + "\"")
query = ("SELECT * FROM projects WHERE project_status = %s AND categoryid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (project_status, categoryid))
projects = cursor.fetchall() projects = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -161,6 +159,7 @@ def get_projects_by_status_and_category(categoryid, project_status):
db.close() db.close()
return projects return projects



def get_projects_by_owner(userid): def get_projects_by_owner(userid):
""" """
Retrieve all projects created by a specific user Retrieve all projects created by a specific user
@@ -170,9 +169,9 @@ def get_projects_by_owner(userid):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT * FROM projects WHERE userid = \"" + userid + "\"")
query = ("SELECT * FROM projects WHERE userid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (userid,))
projects = cursor.fetchall() projects = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -182,8 +181,10 @@ def get_projects_by_owner(userid):
finally: finally:
cursor.close() cursor.close()
db.close() db.close()

return projects return projects



def get_projects_by_status_and_owner(userid, project_status): def get_projects_by_status_and_owner(userid, project_status):
""" """
Retrieve all projects owned by a user with a specific status Retrieve all projects owned by a user with a specific status
@@ -196,10 +197,9 @@ def get_projects_by_status_and_owner(userid, project_status):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT * FROM projects WHERE project_status = \"" +
project_status + "\" AND userid = \"" + userid + "\"")
query = ("SELECT * FROM projects WHERE project_status = %s AND userid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (project_status, userid))
projects = cursor.fetchall() projects = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -211,6 +211,7 @@ def get_projects_by_status_and_owner(userid, project_status):
db.close() db.close()
return projects return projects



def get_projects_by_participant_and_status(userid, project_status): def get_projects_by_participant_and_status(userid, project_status):
""" """
Retrieve all projects where the user is a participant with specific status Retrieve all projects where the user is a participant with specific status
@@ -223,12 +224,11 @@ def get_projects_by_participant_and_status(userid, project_status):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT * FROM projects, projects_users WHERE projects.project_status = \"" +
project_status + "\" AND projects_users.userid = \"" + userid +
"\" AND projects_users.projectid = projects.projectid")
query = ("SELECT * FROM projects, projects_users WHERE projects.project_status = %s AND " +
"projects_users.userid = %s AND projects_users.projectid = projects.projectid")
db.connect() db.connect()
try: try:
cursor.execute(query)
cursor.execute(query, (project_status, userid))
projects = cursor.fetchall() projects = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -240,6 +240,7 @@ def get_projects_by_participant_and_status(userid, project_status):
db.close() db.close()
return projects return projects



def set_task(projectid, task_title, task_description, budget): def set_task(projectid, task_title, task_description, budget):
""" """
Create a task Create a task
@@ -255,11 +256,10 @@ def set_task(projectid, task_title, task_description, budget):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("INSERT INTO tasks (projectid, title, task_description, budget, task_status) VALUES (\"" +
projectid + "\", \"" + task_title + "\", \"" +
task_description + "\", \"" + budget + "\", \"waiting for delivery\")")
query = ("INSERT INTO tasks (projectid, title, task_description, budget, task_status) " +
"VALUES (%s, %s, %s, %s, \"waiting for delivery\")")
try: try:
cursor.execute(query)
cursor.execute(query, (projectid, task_title, task_description, budget))
db.commit() db.commit()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -269,13 +269,13 @@ def set_task(projectid, task_title, task_description, budget):
cursor.close() cursor.close()
db.close() db.close()



def update_task_status(taskid, status): def update_task_status(taskid, status):
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("UPDATE tasks SET task_status = \"" + status +
"\" WHERE taskid = \"" + taskid + "\"")
query = ("UPDATE tasks SET task_status = %s WHERE taskid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (status, taskid))
db.commit() db.commit()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -285,6 +285,7 @@ def update_task_status(taskid, status):
cursor.close() cursor.close()
db.close() db.close()



def get_tasks_by_project_id(projectid): def get_tasks_by_project_id(projectid):
""" """
Get all tasks belonging to a project Get all tasks belonging to a project
@@ -295,9 +296,9 @@ def get_tasks_by_project_id(projectid):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT * FROM tasks WHERE projectid = \"" + projectid + "\"")
query = ("SELECT * FROM tasks WHERE projectid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (projectid,))
tasks = cursor.fetchall() tasks = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -309,6 +310,7 @@ def get_tasks_by_project_id(projectid):
db.close() db.close()
return tasks return tasks



def set_task_file(taskid, filename): def set_task_file(taskid, filename):
""" """
Register a new task - file relationship Register a new task - file relationship
@@ -320,10 +322,9 @@ def set_task_file(taskid, filename):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("INSERT INTO task_files (taskid, filename) VALUES (\"" +
taskid + "\", \"" + filename + "\")")
query = ("INSERT INTO task_files (taskid, filename) VALUES (%s, %s)")
try: try:
cursor.execute(query)
cursor.execute(query, (taskid, filename))
db.commit() db.commit()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -333,6 +334,7 @@ def set_task_file(taskid, filename):
cursor.close() cursor.close()
db.close() db.close()



def get_task_files(taskid): def get_task_files(taskid):
""" """
Retrieve all filenames registered in a task Retrieve all filenames registered in a task
@@ -342,9 +344,9 @@ def get_task_files(taskid):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT filename FROM task_files WHERE taskid = \"" + str(taskid) + "\"")
query = ("SELECT filename FROM task_files WHERE taskid = %s")
try: try:
cursor.execute(query)
cursor.execute(query, (str(taskid),))
filenames = cursor.fetchall() filenames = cursor.fetchall()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))
@@ -356,6 +358,7 @@ def get_task_files(taskid):
db.close() db.close()
return filenames return filenames



def set_projects_user(projectid, userid, read_permission="TRUE", def set_projects_user(projectid, userid, read_permission="TRUE",
write_permission="NULL", modify_permission="NULL"): write_permission="NULL", modify_permission="NULL"):
""" """
@@ -372,11 +375,9 @@ def set_projects_user(projectid, userid, read_permission="TRUE",
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("INSERT INTO projects_users VALUES (\"" + projectid + "\", \"" +
userid + "\", " + read_permission + ", " +
write_permission + ", " + modify_permission + ")")
query = ("INSERT INTO projects_users VALUES (%s, %s, %s, %s, %s)")
try: try:
cursor.execute(query)
cursor.execute(query, (projectid, userid, read_permission, write_permission, modify_permission))
db.commit() db.commit()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))


+ 3
- 5
src/app/models/register.py 查看文件

@@ -28,12 +28,10 @@ def set_user(username, password, full_name, company, email,
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("INSERT INTO users VALUES (NULL, \"" + username + "\", \"" +
password + "\", \"" + full_name + "\" , \"" + company + "\", \"" +
email + "\", \"" + street_address + "\", \"" + city + "\", \"" +
state + "\", \"" + postal_code + "\", \"" + country + "\")")
query = ("INSERT INTO users VALUES (NULL, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)")
try: try:
cursor.execute(query)
cursor.execute(query, (username, password, full_name, company, email, street_address,
city, state, postal_code, country))
db.commit() db.commit()
except mysql.connector.Error as err: except mysql.connector.Error as err:
print("Failed executing query: {}".format(err)) print("Failed executing query: {}".format(err))


+ 10
- 7
src/app/models/user.py 查看文件

@@ -1,6 +1,7 @@
from models.database import db from models.database import db
import mysql.connector import mysql.connector



def get_users(): def get_users():
""" """
Retreive all registrered users from the database Retreive all registrered users from the database
@@ -22,6 +23,7 @@ def get_users():
db.close() db.close()
return users return users



def get_user_id_by_name(username): def get_user_id_by_name(username):
""" """
Get the id of the unique username Get the id of the unique username
@@ -30,11 +32,11 @@ def get_user_id_by_name(username):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT userid from users WHERE username =\"" + username + "\"")
query = ("SELECT userid from users WHERE username = %s")


userid = None userid = None
try: try:
cursor.execute(query)
cursor.execute(query, (username,))
users = cursor.fetchall() users = cursor.fetchall()
if(len(users)): if(len(users)):
userid = users[0][0] userid = users[0][0]
@@ -47,6 +49,7 @@ def get_user_id_by_name(username):
db.close() db.close()
return userid return userid



def get_user_name_by_id(userid): def get_user_name_by_id(userid):
""" """
Get username from user id Get username from user id
@@ -55,10 +58,10 @@ def get_user_name_by_id(userid):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT username from users WHERE userid =\"" + userid + "\"")
query = ("SELECT username from users WHERE userid = %s")
username = None username = None
try: try:
cursor.execute(query)
cursor.execute(query, (userid,))
users = cursor.fetchall() users = cursor.fetchall()
if len(users): if len(users):
username = users[0][0] username = users[0][0]
@@ -71,6 +74,7 @@ def get_user_name_by_id(userid):
db.close() db.close()
return username return username



def match_user(username, password): def match_user(username, password):
""" """
Check if user credentials are correct, return if exists Check if user credentials are correct, return if exists
@@ -83,11 +87,10 @@ def match_user(username, password):
""" """
db.connect() db.connect()
cursor = db.cursor() cursor = db.cursor()
query = ("SELECT userid, username from users where username = \"" + username +
"\" and password = \"" + password + "\"")
query = ("SELECT userid, username from users where username = %s and password = %s")
user = None user = None
try: try:
cursor.execute(query)
cursor.execute(query, (username, password))
users = cursor.fetchall() users = cursor.fetchall()
if len(users): if len(users):
user = users[0] user = users[0]


+ 1
- 1
src/app/requirements.txt 查看文件

@@ -1,3 +1,3 @@
web.py==0.40 web.py==0.40
mysql-connector==2.2.9
mysql-connector-python==8.0.*
python-dotenv python-dotenv

Write Preview
Loading…
取消
儲存