Troplo/PlexKodiConnect
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Fix possible SQL injection vectors

Browse source
This commit is contained in:
tomkat83 2017-05-08 19:28:34 +02:00
parent 21d13c6471
commit 44af9a20e5
2 changed files with 6 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
resources/lib/kodidb_functions.py
View file

@ -1409,9 +1409,8 @@ class Kodidb_Functions():
ID = 'idEpisode' ID = 'idEpisode'
elif kodi_type == v.KODI_TYPE_SONG: elif kodi_type == v.KODI_TYPE_SONG:
ID = 'idSong' ID = 'idSong'
query = ('''UPDATE %s SET userrating = ? WHERE %s = ?''' query = '''UPDATE ? SET userrating = ? WHERE ? = ?'''
% (kodi_type, ID)) self.cursor.execute(query, (kodi_type, userrating, ID, kodi_id))
self.cursor.execute(query, (userrating, kodi_id))
def create_entry_uniqueid(self): def create_entry_uniqueid(self):
self.cursor.execute( self.cursor.execute(

8
resources/lib/utils.py
View file

@ -322,7 +322,7 @@ def reset():
for row in rows: for row in rows:
tablename = row[0] tablename = row[0]
if tablename != "version": if tablename != "version":
cursor.execute("DELETE FROM " + tablename) cursor.execute("DELETE FROM ?", (tablename,))
connection.commit() connection.commit()
cursor.close() cursor.close()
@ -335,7 +335,7 @@ def reset():
for row in rows: for row in rows:
tablename = row[0] tablename = row[0]
if tablename != "version": if tablename != "version":
cursor.execute("DELETE FROM " + tablename) cursor.execute("DELETE FROM ?", (tablename, ))
connection.commit() connection.commit()
cursor.close() cursor.close()
@ -348,7 +348,7 @@ def reset():
for row in rows: for row in rows:
tablename = row[0] tablename = row[0]
if tablename != "version": if tablename != "version":
cursor.execute("DELETE FROM " + tablename) cursor.execute("DELETE FROM ?", (tablename, ))
cursor.execute('DROP table IF EXISTS plex') cursor.execute('DROP table IF EXISTS plex')
cursor.execute('DROP table IF EXISTS view') cursor.execute('DROP table IF EXISTS view')
connection.commit() connection.commit()
@ -372,7 +372,7 @@ def reset():
for row in rows: for row in rows:
tableName = row[0] tableName = row[0]
if(tableName != "version"): if(tableName != "version"):
cursor.execute("DELETE FROM " + tableName) cursor.execute("DELETE FROM ?", (tableName, ))
connection.commit() connection.commit()
cursor.close() cursor.close()