Parameterize SQL statements

This commit is contained in:
Arinerron 2018-09-26 17:50:54 -07:00
parent 0c9847fbec
commit 04f89383f7

View File

@ -107,7 +107,7 @@ class Core:
c = conn.cursor() c = conn.cursor()
t = (peerID, name, 'unknown', hashID, powID, 0) t = (peerID, name, 'unknown', hashID, powID, 0)
for i in c.execute("SELECT * FROM PEERS where id = '" + peerID + "';"): for i in c.execute("SELECT * FROM PEERS where id = ?;", (peerID,)):
try: try:
if i[0] == peerID: if i[0] == peerID:
conn.close() conn.close()
@ -135,7 +135,7 @@ class Core:
# check if address is in database # check if address is in database
# this is safe to do because the address is validated above, but we strip some chars here too just in case # this is safe to do because the address is validated above, but we strip some chars here too just in case
address = address.replace('\'', '').replace(';', '').replace('"', '').replace('\\', '') address = address.replace('\'', '').replace(';', '').replace('"', '').replace('\\', '')
for i in c.execute("SELECT * FROM adders where address = '" + address + "';"): for i in c.execute("SELECT * FROM adders where address = ?;", (address,)):
try: try:
if i[0] == address: if i[0] == address:
conn.close() conn.close()
@ -187,7 +187,7 @@ class Core:
c.execute('Delete from hashes where hash=?;', t) c.execute('Delete from hashes where hash=?;', t)
conn.commit() conn.commit()
conn.close() conn.close()
blockFile = 'data/blocks/' + block + '.dat' blockFile = 'data/blocks/%s.dat' % block
dataSize = 0 dataSize = 0
try: try:
''' Get size of data when loaded as an object/var, rather than on disk, ''' Get size of data when loaded as an object/var, rather than on disk,
@ -289,7 +289,7 @@ class Core:
blockFile.close() blockFile.close()
conn = sqlite3.connect(self.blockDB) conn = sqlite3.connect(self.blockDB)
c = conn.cursor() c = conn.cursor()
c.execute("UPDATE hashes SET dataSaved=1 WHERE hash = '" + dataHash + "';") c.execute("UPDATE hashes SET dataSaved=1 WHERE hash = ?;", (dataHash,))
conn.commit() conn.commit()
conn.close() conn.close()
with open(self.dataNonceFile, 'a') as nonceFile: with open(self.dataNonceFile, 'a') as nonceFile:
@ -309,7 +309,7 @@ class Core:
for name in ['data']: for name in ['data']:
tar.add(name) tar.add(name)
tar.close() tar.close()
tarData = open('data.tar', 'r', encoding = "ISO-8859-1").read() tarData = open('data.tar', 'r', encoding = 'ISO-8859-1').read()
encrypted = simplecrypt.encrypt(password, tarData) encrypted = simplecrypt.encrypt(password, tarData)
open('data-encrypted.dat', 'wb').write(encrypted) open('data-encrypted.dat', 'wb').write(encrypted)
os.remove('data.tar') os.remove('data.tar')
@ -433,17 +433,23 @@ class Core:
randomOrder determines if the list should be in a random order randomOrder determines if the list should be in a random order
trust sets the minimum trust to list trust sets the minimum trust to list
''' '''
conn = sqlite3.connect(self.peerDB) conn = sqlite3.connect(self.peerDB)
c = conn.cursor() c = conn.cursor()
payload = ""
payload = ''
if trust not in (0, 1, 2): if trust not in (0, 1, 2):
logger.error('Tried to select invalid trust.') logger.error('Tried to select invalid trust.')
return return
if randomOrder: if randomOrder:
payload = 'SELECT * FROM peers where trust >= %s ORDER BY RANDOM();' % (trust,) payload = 'SELECT * FROM peers where trust >= %s ORDER BY RANDOM();' % (trust,)
else: else:
payload = 'SELECT * FROM peers where trust >= %s;' % (trust,) payload = 'SELECT * FROM peers where trust >= %s;' % (trust,)
peerList = [] peerList = []
for i in c.execute(payload): for i in c.execute(payload):
try: try:
if len(i[0]) != 0: if len(i[0]) != 0:
@ -453,6 +459,7 @@ class Core:
peerList.append(i[0]) peerList.append(i[0])
except TypeError: except TypeError:
pass pass
if getPow: if getPow:
try: try:
peerList.append(self._crypto.pubKey + '-' + self._crypto.pubKeyPowToken) peerList.append(self._crypto.pubKey + '-' + self._crypto.pubKeyPowToken)
@ -460,7 +467,9 @@ class Core:
pass pass
else: else:
peerList.append(self._crypto.pubKey) peerList.append(self._crypto.pubKey)
conn.close() conn.close()
return peerList return peerList
def getPeerInfo(self, peer, info): def getPeerInfo(self, peer, info):
@ -478,13 +487,17 @@ class Core:
hashID text 8 hashID text 8
pow text 9 pow text 9
''' '''
conn = sqlite3.connect(self.peerDB) conn = sqlite3.connect(self.peerDB)
c = conn.cursor() c = conn.cursor()
command = (peer,) command = (peer,)
infoNumbers = {'id': 0, 'name': 1, 'adders': 2, 'forwardKey': 3, 'dateSeen': 4, 'bytesStored': 5, 'trust': 6, 'pubkeyExchanged': 7, 'hashID': 8} infoNumbers = {'id': 0, 'name': 1, 'adders': 2, 'forwardKey': 3, 'dateSeen': 4, 'bytesStored': 5, 'trust': 6, 'pubkeyExchanged': 7, 'hashID': 8}
info = infoNumbers[info] info = infoNumbers[info]
iterCount = 0 iterCount = 0
retVal = '' retVal = ''
for row in c.execute('SELECT * from peers where id=?;', command): for row in c.execute('SELECT * from peers where id=?;', command):
for i in row: for i in row:
if iterCount == info: if iterCount == info:
@ -492,6 +505,7 @@ class Core:
break break
else: else:
iterCount += 1 iterCount += 1
conn.close() conn.close()
return retVal return retVal
@ -500,15 +514,20 @@ class Core:
''' '''
Update a peer for a key Update a peer for a key
''' '''
conn = sqlite3.connect(self.peerDB) conn = sqlite3.connect(self.peerDB)
c = conn.cursor() c = conn.cursor()
command = (data, peer) command = (data, peer)
# TODO: validate key on whitelist # TODO: validate key on whitelist
if key not in ('id', 'name', 'pubkey', 'blockDBHash', 'forwardKey', 'dateSeen', 'bytesStored', 'trust'): if key not in ('id', 'name', 'pubkey', 'blockDBHash', 'forwardKey', 'dateSeen', 'bytesStored', 'trust'):
raise Exception("Got invalid database key when setting peer info") raise Exception("Got invalid database key when setting peer info")
c.execute('UPDATE peers SET ' + key + ' = ? WHERE id=?', command) c.execute('UPDATE peers SET ' + key + ' = ? WHERE id=?', command)
conn.commit() conn.commit()
conn.close() conn.close()
return return
def getAddressInfo(self, address, info): def getAddressInfo(self, address, info):
@ -531,7 +550,7 @@ class Core:
info = infoNumbers[info] info = infoNumbers[info]
iterCount = 0 iterCount = 0
retVal = '' retVal = ''
for row in c.execute('SELECT * from adders where address=?;', command): for row in c.execute('SELECT * FROM adders WHERE address=?;', command):
for i in row: for i in row:
if iterCount == info: if iterCount == info:
retVal = i retVal = i
@ -613,9 +632,10 @@ class Core:
conn = sqlite3.connect(self.blockDB) conn = sqlite3.connect(self.blockDB)
c = conn.cursor() c = conn.cursor()
c.execute("UPDATE hashes SET dataType='" + blockType + "' WHERE hash = '" + hash + "';") c.execute("UPDATE hashes SET dataType = ? WHERE hash = ?;", (blockType, hash))
conn.commit() conn.commit()
conn.close() conn.close()
return return
def updateBlockInfo(self, hash, key, data): def updateBlockInfo(self, hash, key, data):
@ -642,6 +662,7 @@ class Core:
c.execute("UPDATE hashes SET " + key + " = ? where hash = ?;", args) c.execute("UPDATE hashes SET " + key + " = ? where hash = ?;", args)
conn.commit() conn.commit()
conn.close() conn.close()
return True return True
def insertBlock(self, data, header='txt', sign=False, encryptType='', symKey='', asymPeer='', meta = dict()): def insertBlock(self, data, header='txt', sign=False, encryptType='', symKey='', asymPeer='', meta = dict()):