Fix possible SQL injection vectors

resources/lib/kodidb_functions.py

@@ -1409,9 +1409,8 @@ class Kodidb_Functions():
             ID = 'idEpisode'
         elif kodi_type == v.KODI_TYPE_SONG:
             ID = 'idSong'
-        query = ('''UPDATE %s SET userrating = ? WHERE %s = ?'''
-                 % (kodi_type, ID))
-        self.cursor.execute(query, (userrating, kodi_id))
+        query = '''UPDATE ? SET userrating = ? WHERE ? = ?'''
+        self.cursor.execute(query, (kodi_type, userrating, ID, kodi_id))
 
     def create_entry_uniqueid(self):
         self.cursor.execute(

resources/lib/utils.py

@@ -322,7 +322,7 @@ def reset():
     for row in rows:
         tablename = row[0]
         if tablename != "version":
-            cursor.execute("DELETE FROM " + tablename)
+            cursor.execute("DELETE FROM ?", (tablename,))
     connection.commit()
     cursor.close()
 
@@ -335,7 +335,7 @@ def reset():
         for row in rows:
             tablename = row[0]
             if tablename != "version":
-                cursor.execute("DELETE FROM " + tablename)
+                cursor.execute("DELETE FROM ?", (tablename, ))
         connection.commit()
         cursor.close()
 
@@ -348,7 +348,7 @@ def reset():
     for row in rows:
         tablename = row[0]
         if tablename != "version":
-            cursor.execute("DELETE FROM " + tablename)
+            cursor.execute("DELETE FROM ?", (tablename, ))
     cursor.execute('DROP table IF EXISTS plex')
     cursor.execute('DROP table IF EXISTS view')
     connection.commit()
@@ -372,7 +372,7 @@ def reset():
         for row in rows:
             tableName = row[0]
             if(tableName != "version"):
-                cursor.execute("DELETE FROM " + tableName)
+                cursor.execute("DELETE FROM ?", (tableName, ))
         connection.commit()
         cursor.close()