From bd7f7a65d7ca9e50ad828e0760888e8ed8e59749 Mon Sep 17 00:00:00 2001 From: Edward Powell Date: Mon, 15 Dec 2014 20:21:53 -0500 Subject: [PATCH] [db] Actually fix that injection issue Thank fuck this commit isn't going to have to be maintained long-term, because it's a half-assed hack done at the last minute. As opposed to the shit it's patching, which doesn't rise to the level of half-assed hackery. --- willie/db.py | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/willie/db.py b/willie/db.py index 6525a66697..5c99710977 100644 --- a/willie/db.py +++ b/willie/db.py @@ -22,7 +22,7 @@ import os import sys from collections import Iterable -from willie.tools import deprecate_for_5, deprecated_5 +from willie.tools import deprecate_for_5, deprecated_5, iteritems if sys.version_info.major >= 3: unicode = str basestring = str @@ -665,19 +665,22 @@ def update(self, row, values, key=None): cur = db.cursor() where = self._make_where_statement(key, row) cur.execute('SELECT * FROM ' + self.name + ' WHERE ' + where, rowl) + values = [(k, v) for k, v in iteritems(values)] if not cur.fetchone(): - vals = "'" + row + "'" - for k in values: + vals = '' + for k, _ in values: key = key + ', ' + k - vals = vals + ", '" + values[k] + "'" + vals = vals + ", %s" command = ('INSERT INTO ' + self.name + ' (' + key + ') VALUES (' + vals + ');') else: command = 'UPDATE ' + self.name + ' SET ' - for k in values: - command = command + k + "='" + values[k] + "', " + for k, _ in values: + command = command + k + "= %s, " command = command[:-2] + ' WHERE ' + key + " = '" + row + "';" - cur.execute(command) + shit = [val[1] for val in values] + command = command.replace('%s', self.db.substitution) + cur.execute(command, shit) db.commit() db.close()