Skip to content

Commit 97938ef

Browse files
devinmattedevinmatte
committed
Fixing SQL injection
1 parent 25709c2 commit 97938ef

File tree

1 file changed

+17
-9
lines changed

1 file changed

+17
-9
lines changed

packet/member.py

Lines changed: 17 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -113,11 +113,13 @@ def query_signed_intromember(member):
113113
:param member: the user making the query
114114
:return: list of results matching the query
115115
"""
116-
try:
117-
return db.engine.execute("""
116+
117+
s = """
118118
SELECT DISTINCT packet.freshman_username AS username, signature_fresh.signed AS signed FROM packet
119119
INNER JOIN signature_fresh ON packet.id = signature_fresh.packet_id
120-
WHERE signature_fresh.freshman_username = '""" + member + "';")
120+
WHERE signature_fresh.freshman_username = ':member';"""
121+
try:
122+
return db.engine.execute(s, member=member)
121123

122124
except exc.SQLAlchemyError:
123125
raise exc.SQLAlchemyError("Error: Failed to get intromember's signatures from database")
@@ -129,11 +131,14 @@ def query_signed_upperclassman(member):
129131
:param member: the user making the query
130132
:return: list of results matching the query
131133
"""
132-
try:
133-
return db.engine.execute("""
134+
135+
s = """
134136
SELECT DISTINCT packet.freshman_username AS username, signature_upper.signed AS signed FROM packet
135137
INNER JOIN signature_upper ON packet.id = signature_upper.packet_id
136-
WHERE signature_upper.member = '""" + member + "';")
138+
WHERE signature_upper.member = ':member';"""
139+
140+
try:
141+
return db.engine.execute(s, member=member)
137142

138143
except exc.SQLAlchemyError:
139144
raise exc.SQLAlchemyError("Error: Failed to get upperclassman's signatures from database")
@@ -145,11 +150,14 @@ def query_signed_alumni(member):
145150
:param member: the user making the query
146151
:return: list of results matching the query
147152
"""
148-
try:
149-
return db.engine.execute("""
153+
154+
s = """
150155
SELECT DISTINCT packet.freshman_username AS username, signature_misc.member AS signed
151156
FROM packet LEFT OUTER JOIN signature_misc ON packet.id = signature_misc.packet_id
152-
WHERE signature_misc.member = '""" + member + "' OR signature_misc.member ISNULL;")
157+
WHERE signature_misc.member = ':member' OR signature_misc.member ISNULL;"""
158+
159+
try:
160+
return db.engine.execute(s, member=member)
153161

154162
except exc.SQLAlchemyError:
155163
raise exc.SQLAlchemyError("Error: Failed to get alumni's signatures from database")

0 commit comments

Comments
 (0)