From 1dbf301fa407ceb6249a672e9692f8f37f501817 Mon Sep 17 00:00:00 2001 From: Pixis Date: Thu, 18 Nov 2021 10:36:20 +0100 Subject: [PATCH] Parameterized queries for adding credentials --- database.py | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/database.py b/database.py index 8ae17a4..78f4e0e 100644 --- a/database.py +++ b/database.py @@ -1079,13 +1079,26 @@ class database: #return None try: if pillaged_from_userid == None : - query = f"SELECT * FROM credz WHERE LOWER(username)=LOWER('{credz_username}') AND LOWER(password)=LOWER('{credz_password}') AND LOWER(type)=LOWER('{credz_type}') AND LOWER(target)=LOWER('{credz_target}') AND pillaged_from_computerid={pillaged_from_computerid}" + query = "SELECT * FROM credz WHERE LOWER(username)=LOWER(:credz_username) AND LOWER(password)=LOWER(:credz_password) AND LOWER(type)=LOWER(:credz_type) AND LOWER(target)=LOWER(:credz_target) AND pillaged_from_computerid=:pillaged_from_computerid" + parameters = { + "credz_username": credz_username, + "credz_password": credz_password, + "credz_type": credz_type, "credz_target": credz_target, + "pillaged_from_computerid": int(pillaged_from_computerid), + } else: - query=f"SELECT * FROM credz WHERE LOWER(username)=LOWER('{credz_username}') AND LOWER(password)=LOWER('{credz_password}') AND LOWER(type)=LOWER('{credz_type}') AND LOWER(target)=LOWER('{credz_target}') AND pillaged_from_computerid={pillaged_from_computerid} AND pillaged_from_userid={pillaged_from_userid}" + query = "SELECT * FROM credz WHERE LOWER(username)=LOWER(:credz_username) AND LOWER(password)=LOWER(:credz_password) AND LOWER(type)=LOWER(:credz_type) AND LOWER(target)=LOWER(:credz_target) AND pillaged_from_computerid=:pillaged_from_computerid AND pillaged_from_userid=:pillaged_from_userid" + parameters = { + "credz_username": credz_username, + "credz_password": credz_password, + "credz_type": credz_type, "credz_target": credz_target, + "pillaged_from_computerid": int(pillaged_from_computerid), + "pillaged_from_userid": int(pillaged_from_userid) + } self.logging.debug(query) with self.conn: cur = self.conn.cursor() - cur.execute(query) + cur.execute(query, parameters) results = cur.fetchall() except Exception as ex: self.logging.error(f"Exception in add_credz 3") @@ -1093,13 +1106,30 @@ class database: try: if not len(results): if pillaged_from_userid == None: - query = f"INSERT INTO credz (username, password, target, type, pillaged_from_computerid, file_path) VALUES ('{credz_username}', '{credz_password}', '{credz_target}', '{credz_type}', {pillaged_from_computerid}, '{credz_path}')" + query = "INSERT INTO credz (username, password, target, type, pillaged_from_computerid, file_path) VALUES (:credz_username, :credz_password, :credz_target, :credz_type, :pillaged_from_computerid, :credz_path)" + parameters = { + "credz_username": credz_username, + "credz_password": credz_password, + "credz_target": credz_target, + "credz_type": credz_type, + "pillaged_from_computerid": int(pillaged_from_computerid), + "credz_path": credz_path, + } else: - query=f"INSERT INTO credz (username, password, target, type, pillaged_from_computerid,pillaged_from_userid, file_path) VALUES ('{credz_username}', '{credz_password}', '{credz_target}', '{credz_type}', {pillaged_from_computerid}, {pillaged_from_userid}, '{credz_path}')" + query = "INSERT INTO credz (username, password, target, type, pillaged_from_computerid,pillaged_from_userid, file_path) VALUES (:credz_username, :credz_password, :credz_target, :credz_type, :pillaged_from_computerid, :pillaged_from_userid, :credz_path)" + parameters = { + "credz_username": credz_username, + "credz_password": credz_password, + "credz_type": credz_type, + "credz_target": credz_target, + "pillaged_from_computerid": int(pillaged_from_computerid), + "pillaged_from_userid": int(pillaged_from_userid), + "credz_path": credz_path, + } self.logging.debug(query) with self.conn: cur = self.conn.cursor() - cur.execute(query) + cur.execute(query, parameters) user_rowid = cur.lastrowid self.logging.debug( f'added_credential(credtype={credz_type}, target={credz_target}, username={credz_username}, password={credz_password}) => {user_rowid}')