From 0a493b93490c720a4092b57ffa573aaa703607dc Mon Sep 17 00:00:00 2001
From: JonnyWong16 <JonnyWong16@users.noreply.github.com>
Date: Fri, 31 Mar 2017 09:37:22 -0700
Subject: [PATCH] Fix to make queries safe

---
 plexpy/mobile_app.py | 12 ++++++++----
 plexpy/notifiers.py  | 13 +++++++++----
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/plexpy/mobile_app.py b/plexpy/mobile_app.py
index d3e34812..575e2c09 100644
--- a/plexpy/mobile_app.py
+++ b/plexpy/mobile_app.py
@@ -21,16 +21,20 @@ import logger
 
 def get_mobile_devices(device_id=None, device_token=None):
     where = where_id = where_token = ''
+    args = []
+
     if device_id or device_token:
         where = 'WHERE '
         if device_id:
-            where_id += 'device_id = "%s"' % device_id
+            where_id += 'device_id = ?'
+            args.append(device_id)
         if device_token:
-            where_token = 'device_token = "%s"' % device_token
+            where_token = 'device_token = ?'
+            args.append(device_token)
         where += ' AND '.join([w for w in [where_id, where_token] if w])
 
     monitor_db = database.MonitorDatabase()
-    result = monitor_db.select('SELECT * FROM mobile_devices %s' % where)
+    result = monitor_db.select('SELECT * FROM mobile_devices %s' % where, args=args)
 
     return result
 
@@ -40,7 +44,7 @@ def delete_mobile_device(device_id=None):
 
     if device_id:
         logger.debug(u"PlexPy Notifiers :: Deleting device_id %s from the database." % device_id)
-        result = monitor_db.action('DELETE FROM mobile_devices WHERE device_id = ?', [device_id])
+        result = monitor_db.action('DELETE FROM mobile_devices WHERE device_id = ?', args=[device_id])
         return True
     else:
         return False
diff --git a/plexpy/notifiers.py b/plexpy/notifiers.py
index de9ce283..29189f26 100644
--- a/plexpy/notifiers.py
+++ b/plexpy/notifiers.py
@@ -362,17 +362,21 @@ def get_notifiers(notifier_id=None, notify_action=None):
     notify_actions = get_notify_actions()
 
     where = where_id = where_action = ''
+    args = []
+
     if notifier_id or notify_action:
         where = 'WHERE '
         if notifier_id:
-            where_id += 'notifier_id = %s' % notifier_id
+            where_id += 'notifier_id = ?'
+            args.append(notifier_id)
         if notify_action and notify_action in notify_actions:
-            where_action = '%s = 1' % notify_action
+            where_action = '%s = ?' % notify_action
+            args.append(1)
         where += ' AND '.join([w for w in [where_id, where_action] if w])
 
     monitor_db = database.MonitorDatabase()
     result = monitor_db.select('SELECT id, agent_id, agent_name, agent_label, friendly_name, %s FROM notifiers %s'
-                               % (', '.join(notify_actions), where))
+                               % (', '.join(notify_actions), where), args=args)
     
     for item in result:
         item['active'] = int(any([item.pop(k) for k in item.keys() if k in notify_actions]))
@@ -385,7 +389,8 @@ def delete_notifier(notifier_id=None):
 
     if str(notifier_id).isdigit():
         logger.debug(u"PlexPy Notifiers :: Deleting notifier_id %s from the database." % notifier_id)
-        result = monitor_db.action('DELETE FROM notifiers WHERE id = ?', [notifier_id])
+        result = monitor_db.action('DELETE FROM notifiers WHERE id = ?',
+                                   args=[notifier_id])
         return True
     else:
         return False