database: included sqlite and parameter substitution

Before we used insecure python variables to assemble a query string.
Now we use the DB-APIs parameter subtitution.
pymysqlite was switched for sqlite due to being included in python.
master
TiynGER 4 years ago
parent 371c4f5064
commit 2fc3a1c38f

@ -2,7 +2,7 @@ import time
import logging as log import logging as log
import os import os
import pysqlite3 import sqlite3
class Database: class Database:
@ -18,7 +18,7 @@ class Database:
attributes. attributes.
""" """
path = os.path.join(self.DB_DIR, "data.db") path = os.path.join(self.DB_DIR, "data.db")
return pysqlite3.connect(path) return sqlite3.connect(path)
def setup_db(self): def setup_db(self):
"""Creates a database with tables.""" """Creates a database with tables."""
@ -43,9 +43,9 @@ class Database:
crs = db.cursor() crs = db.cursor()
log.debug('file: ' + file_id + ' time: ' + time) log.debug('file: ' + file_id + ' time: ' + time)
query = "INSERT INTO " + self.TABLE_FILE + "(`id`,`ch_date`)" + \ query = "INSERT INTO " + self.TABLE_FILE + "(`id`,`ch_date`)" + \
"VALUES ('" + file_id + "','" + time + "')" + \ "VALUES ( ?, ? )" + \
"ON CONFLICT(`id`) DO UPDATE SET `ch_date` = '" + time + "'" "ON CONFLICT(`id`) DO UPDATE SET `ch_date` = ?"
crs.execute(query) crs.execute(query, (file_id, time, time))
db.commit() db.commit()
def get_last_file_dl(self, file_id): def get_last_file_dl(self, file_id):
@ -61,8 +61,8 @@ class Database:
return None return None
db = self.connect() db = self.connect()
crs = db.cursor() crs = db.cursor()
query = "SELECT ch_date FROM files WHERE id ='" + file_id + "'" query = "SELECT ch_date FROM files WHERE id = ?"
crs.execute(query) crs.execute(query, (file_id, ))
res = crs.fetchone() res = crs.fetchone()
if res != None: if res != None:
return res[0] return res[0]

@ -1,2 +1 @@
pysqlite3==0.4.3
requests==2.24.0 requests==2.24.0

Loading…
Cancel
Save