Leahnaya/dwc_network_server_emulator
1
0
Fork 0
mirror of https://github.com/barronwaffles/dwc_network_server_emulator.git synced 2026-03-21 17:34:21 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix SQL injection

Browse Source
This commit is contained in:
InvoxiPlayGames 2020-07-11 00:26:41 +01:00
parent 78ea73840d
commit e35e0d090c
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
gamespy/gs_database.py
View File

@ -367,12 +367,12 @@ class GamespyDatabase(object):
Start replacing each field one by one.
TODO: Optimize this so it's done all in one update.
FIXME: Possible security issue due to embedding an unsanitized
string directly into the statement.
TODO: Check if other values than firstname/lastname are set using this
"""
with Transaction(self.conn) as tx:
q = "UPDATE users SET \"%s\" = ? WHERE profileid = ?"
tx.nonquery(q % field[0], (field[1], profileid))
if field[0] in ["firstname", "lastname"]:
with Transaction(self.conn) as tx:
q = "UPDATE users SET \"%s\" = ? WHERE profileid = ?"
tx.nonquery(q % field[0], (field[1], profileid))
# Session functions
# TODO: Cache session keys so we don't have to query the database every