Fixed SQL Injection Vulnerabilities

TomacGG · TomacGG · commit 5e3ef88ad2ba · 2024-09-10T14:21:58.000+02:00
diff --git a/content/app.py b/content/app.py
@@ -19,7 +19,6 @@
 def log_request():
     log_file.write(f"{request.method} {request.path} {dict(request.form) if request.form else ''}\n")
 
-
 # Set user_id on request if user is logged in, or else set it to None.
 @app.before_request
 def check_authentication():
@@ -48,15 +47,28 @@ def get_comments_page(quote_id):
 @app.route("/quotes", methods=["POST"])
 def post_quote():
     with db:
-        db.execute(f"""insert into quotes(text,attribution) values("{request.form['text']}","{request.form['attribution']}")""")
+        db.execute("""
+    INSERT INTO quotes (text, attribution) 
+    VALUES (:text, :attribution)
+    """, {"text": request.form['text'], "attribution": request.form['attribution']}
+)
+
     return redirect("/#bottom")
 
 
 # Post a new comment
 @app.route("/quotes/<int:quote_id>/comments", methods=["POST"])
 def post_comment(quote_id):
     with db:
-        db.execute(f"""insert into comments(text,quote_id,user_id) values("{request.form['text']}",{quote_id},{request.user_id})""")
+        db.execute("""
+    INSERT INTO comments (text, quote_id, user_id) 
+    VALUES (:text, :quote_id, :user_id)
+    """, {
+        "text": request.form['text'],
+        "quote_id": quote_id,
+        "user_id": request.user_id
+    }
+)
     return redirect(f"/quotes/{quote_id}#bottom")
 
 
@@ -65,16 +77,30 @@ def post_comment(quote_id):
 def signin():
     username = request.form["username"].lower()
     password = request.form["password"]
+    
+    user = db.execute("""
+    SELECT id, password 
+    FROM users 
+    WHERE name = :username
+    """, {"username": username}
+).fetchone()
 
-    user = db.execute(f"select id, password from users where name='{username}'").fetchone()
     if user: # user exists
         if password != user['password']:
             # wrong! redirect to main page with an error message
             return redirect('/?error='+urllib.parse.quote("Invalid password!"))
         user_id = user['id']
     else: # new sign up
         with db:
-            cursor = db.execute(f"insert into users(name,password) values('{username}', '{password}')")
+            cursor = db.execute("""
+    INSERT INTO users (name, password) 
+    VALUES (:username, :password)
+    """, {
+        "username": username,
+        "password": password
+    }
+)
+
             user_id = cursor.lastrowid
     
     response = make_response(redirect('/'))
