src/app/models/database.py

@@ -13,7 +13,6 @@ db = mysql.connector.connect(
     user='root',
     password='root',
     host='10.' + groupid + '.0.5',   # Docker address
-    #host='0.0.0.0',    # Local address
+    # host='0.0.0.0',    # Local address
     database='db'
 )
-    

src/app/models/project.py

@@ -41,11 +41,9 @@ def set_project(categoryid, userid, project_title, project_description, project_
     """
     db.connect()
     cursor = db.cursor()
-    query = ("INSERT INTO projects VALUES (NULL, \"" + 
-        categoryid + "\", \"" + userid + "\", \"" + project_title + "\", \"" + 
-        project_description + "\", \"" + project_status + "\")")
+    query = ("INSERT INTO projects VALUES (NULL, %s, %s, %s, %s, %s)")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (categoryid, userid, project_title, project_description, project_status))
         db.commit()
         users_projects = get_projects_by_owner(userid)
         projectid = users_projects[-1][0]
@@ -69,9 +67,9 @@ def get_project_by_id(projectid):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT * FROM projects WHERE projectid = \"" + projectid + "\"")
+    query = ("SELECT * FROM projects WHERE projectid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (projectid,))
         project = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -93,10 +91,9 @@ def update_project_status(projectid, status):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("UPDATE projects SET project_status = \"" + status + 
-        "\" WHERE projectid = \"" + projectid + "\"")
+    query = ("UPDATE projects SET project_status = %s WHERE projectid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (status, projectid))
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -118,10 +115,9 @@ def get_user_permissions(userid, projectid):
     db.connect()
     cursor = db.cursor()
     query = ("SELECT read_permission, write_permission, modify_permission \
-        FROM projects_users WHERE projectid = \"" + projectid + 
-        "\" AND userid = \"" + userid + "\"")
+        FROM projects_users WHERE projectid = %s AND userid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (projectid, userid))
         permissions = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -130,9 +126,12 @@ def get_user_permissions(userid, projectid):
     finally:
         cursor.close()
         db.close()
+
     if len(permissions):
         return permissions[0]
-    return [0,0,0]
+
+    return [0, 0, 0]
+
 
 def get_projects_by_status_and_category(categoryid, project_status):
     """
@@ -146,10 +145,9 @@ def get_projects_by_status_and_category(categoryid, project_status):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT * FROM projects WHERE project_status = \"" + 
-        project_status + "\" AND categoryid = \"" + categoryid + "\"")
+    query = ("SELECT * FROM projects WHERE project_status = %s AND categoryid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (project_status, categoryid))
         projects = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -161,6 +159,7 @@ def get_projects_by_status_and_category(categoryid, project_status):
         db.close()
     return projects
 
+
 def get_projects_by_owner(userid):
     """
     Retrieve all projects created by a specific user
@@ -170,9 +169,9 @@ def get_projects_by_owner(userid):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT * FROM projects WHERE userid = \"" + userid + "\"")
+    query = ("SELECT * FROM projects WHERE userid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (userid,))
         projects = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -182,8 +181,10 @@ def get_projects_by_owner(userid):
     finally:
         cursor.close()
         db.close()
+
     return projects
 
+
 def get_projects_by_status_and_owner(userid, project_status):
     """
     Retrieve all projects owned by a user with a specific status
@@ -196,10 +197,9 @@ def get_projects_by_status_and_owner(userid, project_status):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT * FROM projects WHERE project_status = \"" + 
-        project_status + "\" AND userid = \"" + userid + "\"")
+    query = ("SELECT * FROM projects WHERE project_status = %s AND userid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (project_status, userid))
         projects = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -211,6 +211,7 @@ def get_projects_by_status_and_owner(userid, project_status):
         db.close()
     return projects
 
+
 def get_projects_by_participant_and_status(userid, project_status):
     """
     Retrieve all projects where the user is a participant with specific status
@@ -223,12 +224,11 @@ def get_projects_by_participant_and_status(userid, project_status):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT * FROM projects, projects_users WHERE projects.project_status = \"" + 
-        project_status + "\" AND projects_users.userid = \"" + userid + 
-        "\" AND projects_users.projectid = projects.projectid")
+    query = ("SELECT * FROM projects, projects_users WHERE projects.project_status = %s AND " +
+             "projects_users.userid = %s AND projects_users.projectid = projects.projectid")
     db.connect()
     try:
-        cursor.execute(query)
+        cursor.execute(query, (project_status, userid))
         projects = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -240,6 +240,7 @@ def get_projects_by_participant_and_status(userid, project_status):
         db.close()
     return projects
 
+
 def set_task(projectid, task_title, task_description, budget):
     """
     Create a task
@@ -255,11 +256,10 @@ def set_task(projectid, task_title, task_description, budget):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("INSERT INTO tasks (projectid, title, task_description, budget, task_status) VALUES (\"" +
-        projectid + "\", \"" + task_title + "\", \"" +
-        task_description + "\", \"" + budget + "\", \"waiting for delivery\")")
+    query = ("INSERT INTO tasks (projectid, title, task_description, budget, task_status) " +
+             "VALUES (%s, %s, %s, %s, \"waiting for delivery\")")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (projectid, task_title, task_description, budget))
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -269,13 +269,13 @@ def set_task(projectid, task_title, task_description, budget):
         cursor.close()
         db.close()
 
+
 def update_task_status(taskid, status):
     db.connect()
     cursor = db.cursor()
-    query = ("UPDATE tasks SET task_status = \"" + status + 
-        "\" WHERE taskid = \"" + taskid + "\"")
+    query = ("UPDATE tasks SET task_status = %s WHERE taskid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (status, taskid))
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -285,6 +285,7 @@ def update_task_status(taskid, status):
         cursor.close()
         db.close()
 
+
 def get_tasks_by_project_id(projectid):
     """
     Get all tasks belonging to a project
@@ -295,9 +296,9 @@ def get_tasks_by_project_id(projectid):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT * FROM tasks WHERE projectid = \"" + projectid + "\"")
+    query = ("SELECT * FROM tasks WHERE projectid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (projectid,))
         tasks = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -309,6 +310,7 @@ def get_tasks_by_project_id(projectid):
         db.close()
     return tasks
 
+
 def set_task_file(taskid, filename):
     """
     Register a new task - file relationship
@@ -320,10 +322,9 @@ def set_task_file(taskid, filename):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("INSERT INTO task_files (taskid, filename) VALUES (\"" + 
-        taskid + "\", \"" + filename + "\")")
+    query = ("INSERT INTO task_files (taskid, filename) VALUES (%s, %s)")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (taskid, filename))
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -333,6 +334,7 @@ def set_task_file(taskid, filename):
         cursor.close()
         db.close()
 
+
 def get_task_files(taskid):
     """
         Retrieve all filenames registered in a task
@@ -342,9 +344,9 @@ def get_task_files(taskid):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT filename FROM task_files WHERE taskid = \"" + str(taskid) + "\"")
+    query = ("SELECT filename FROM task_files WHERE taskid = %s")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (str(taskid),))
         filenames = cursor.fetchall()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))
@@ -356,6 +358,7 @@ def get_task_files(taskid):
         db.close()
     return filenames
 
+
 def set_projects_user(projectid, userid, read_permission="TRUE",
                       write_permission="NULL", modify_permission="NULL"):
     """
@@ -372,11 +375,9 @@ def set_projects_user(projectid, userid, read_permission="TRUE",
     """
     db.connect()
     cursor = db.cursor()
-    query = ("INSERT INTO projects_users VALUES (\"" + projectid + "\", \"" + 
-        userid + "\", " + read_permission + ", " + 
-        write_permission + ", " + modify_permission + ")")
+    query = ("INSERT INTO projects_users VALUES (%s, %s, %s, %s, %s)")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (projectid, userid, read_permission, write_permission, modify_permission))
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))

src/app/models/register.py

@@ -28,12 +28,10 @@ def set_user(username, password, full_name, company, email,
     """
     db.connect()
     cursor = db.cursor()
-    query = ("INSERT INTO users VALUES (NULL, \"" + username + "\", \"" + 
-        password + "\", \"" + full_name + "\" , \"" + company + "\", \"" + 
-        email + "\", \"" + street_address + "\", \"" + city + "\", \"" + 
-        state  + "\", \"" + postal_code + "\", \"" + country + "\")")
+    query = ("INSERT INTO users VALUES (NULL, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s)")
     try:
-        cursor.execute(query)
+        cursor.execute(query, (username, password, full_name, company, email, street_address,
+                               city, state, postal_code, country))
         db.commit()
     except mysql.connector.Error as err:
         print("Failed executing query: {}".format(err))

src/app/models/user.py

@@ -1,6 +1,7 @@
 from models.database import db
 import mysql.connector
 
+
 def get_users():
     """
     Retreive all registrered users from the database
@@ -22,6 +23,7 @@ def get_users():
         db.close()
     return users
 
+
 def get_user_id_by_name(username):
     """
     Get the id of the unique username
@@ -30,11 +32,11 @@ def get_user_id_by_name(username):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT userid from users WHERE username =\"" + username + "\"")
+    query = ("SELECT userid from users WHERE username = %s")
 
     userid = None
     try:
-        cursor.execute(query)
+        cursor.execute(query, (username,))
         users = cursor.fetchall()
         if(len(users)):
             userid = users[0][0]
@@ -47,6 +49,7 @@ def get_user_id_by_name(username):
         db.close()
     return userid
 
+
 def get_user_name_by_id(userid):
     """
     Get username from user id
@@ -55,10 +58,10 @@ def get_user_name_by_id(userid):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT username from users WHERE userid =\"" + userid + "\"")
+    query = ("SELECT username from users WHERE userid = %s")
     username = None
     try:
-        cursor.execute(query)
+        cursor.execute(query, (userid,))
         users = cursor.fetchall()
         if len(users):
             username = users[0][0]
@@ -71,6 +74,7 @@ def get_user_name_by_id(userid):
         db.close()
     return username
 
+
 def match_user(username, password):
     """
     Check if user credentials are correct, return if exists
@@ -83,11 +87,10 @@ def match_user(username, password):
     """
     db.connect()
     cursor = db.cursor()
-    query = ("SELECT userid, username from users where username = \"" + username + 
-            "\" and password = \"" + password + "\"")
+    query = ("SELECT userid, username from users where username = %s and password = %s")
     user = None
     try:
-        cursor.execute(query)
+        cursor.execute(query, (username, password))
         users = cursor.fetchall()
         if len(users):
             user = users[0]

src/app/requirements.txt

@@ -1,3 +1,3 @@
 web.py==0.40
-mysql-connector==2.2.9
+mysql-connector-python==8.0.*
 python-dotenv