Merge pull request #538 from InvoxiPlayGames/master

Fix SQL injection
2026-03-21 17:34:21 -05:00 · 2020-07-11 13:57:16 +12:00 · 2020-07-11 13:57:16 +12:00 · f70eb21394
commit f70eb21394
parent 78ea73840d e35e0d090c
1 changed files with 5 additions and 5 deletions
--- a/gamespy/gs_database.py
+++ b/gamespy/gs_database.py
@ -367,12 +367,12 @@ class GamespyDatabase(object):

        Start replacing each field one by one.
        TODO: Optimize this so it's done all in one update.
-        FIXME: Possible security issue due to embedding an unsanitized
-        string directly into the statement.
+        TODO: Check if other values than firstname/lastname are set using this
        """
-        with Transaction(self.conn) as tx:
-            q = "UPDATE users SET \"%s\" = ? WHERE profileid = ?"
-            tx.nonquery(q % field[0], (field[1], profileid))
+        if field[0] in ["firstname", "lastname"]:
+            with Transaction(self.conn) as tx:
+                q = "UPDATE users SET \"%s\" = ? WHERE profileid = ?"
+                tx.nonquery(q % field[0], (field[1], profileid))

    # Session functions
    # TODO: Cache session keys so we don't have to query the database every