From 2fc3a1c38f8df96de131d29a2d4c6678b56f2fb2 Mon Sep 17 00:00:00 2001 From: TiynGER Date: Tue, 17 Nov 2020 12:48:46 +0100 Subject: [PATCH] database: included sqlite and parameter substitution Before we used insecure python variables to assemble a query string. Now we use the DB-APIs parameter subtitution. pymysqlite was switched for sqlite due to being included in python. --- src/database.py | 14 +++++++------- src/requirements.txt | 1 - 2 files changed, 7 insertions(+), 8 deletions(-) diff --git a/src/database.py b/src/database.py index 5337698..ee1a89e 100755 --- a/src/database.py +++ b/src/database.py @@ -2,7 +2,7 @@ import time import logging as log import os -import pysqlite3 +import sqlite3 class Database: @@ -18,7 +18,7 @@ class Database: attributes. """ path = os.path.join(self.DB_DIR, "data.db") - return pysqlite3.connect(path) + return sqlite3.connect(path) def setup_db(self): """Creates a database with tables.""" @@ -43,9 +43,9 @@ class Database: crs = db.cursor() log.debug('file: ' + file_id + ' time: ' + time) query = "INSERT INTO " + self.TABLE_FILE + "(`id`,`ch_date`)" + \ - "VALUES ('" + file_id + "','" + time + "')" + \ - "ON CONFLICT(`id`) DO UPDATE SET `ch_date` = '" + time + "'" - crs.execute(query) + "VALUES ( ?, ? )" + \ + "ON CONFLICT(`id`) DO UPDATE SET `ch_date` = ?" + crs.execute(query, (file_id, time, time)) db.commit() def get_last_file_dl(self, file_id): @@ -61,8 +61,8 @@ class Database: return None db = self.connect() crs = db.cursor() - query = "SELECT ch_date FROM files WHERE id ='" + file_id + "'" - crs.execute(query) + query = "SELECT ch_date FROM files WHERE id = ?" + crs.execute(query, (file_id, )) res = crs.fetchone() if res != None: return res[0] diff --git a/src/requirements.txt b/src/requirements.txt index e1c976e..989b995 100644 --- a/src/requirements.txt +++ b/src/requirements.txt @@ -1,2 +1 @@ -pysqlite3==0.4.3 requests==2.24.0