Fix to make queries safe

2025-07-15 01:32:57 -07:00 · 2017-03-31 09:37:22 -07:00 · 2017-03-31 09:37:22 -07:00 · 0a493b9349
commit 0a493b9349
parent a612de52f9
2 changed files with 17 additions and 8 deletions
--- a/plexpy/notifiers.py
+++ b/plexpy/notifiers.py
@ -362,17 +362,21 @@ def get_notifiers(notifier_id=None, notify_action=None):
    notify_actions = get_notify_actions()

    where = where_id = where_action = ''
+    args = []
+
    if notifier_id or notify_action:
        where = 'WHERE '
        if notifier_id:
-            where_id += 'notifier_id = %s' % notifier_id
+            where_id += 'notifier_id = ?'
+            args.append(notifier_id)
        if notify_action and notify_action in notify_actions:
-            where_action = '%s = 1' % notify_action
+            where_action = '%s = ?' % notify_action
+            args.append(1)
        where += ' AND '.join([w for w in [where_id, where_action] if w])

    monitor_db = database.MonitorDatabase()
    result = monitor_db.select('SELECT id, agent_id, agent_name, agent_label, friendly_name, %s FROM notifiers %s'
-                               % (', '.join(notify_actions), where))
+                               % (', '.join(notify_actions), where), args=args)
    
    for item in result:
        item['active'] = int(any([item.pop(k) for k in item.keys() if k in notify_actions]))
@ -385,7 +389,8 @@ def delete_notifier(notifier_id=None):

    if str(notifier_id).isdigit():
        logger.debug(u"PlexPy Notifiers :: Deleting notifier_id %s from the database." % notifier_id)
-        result = monitor_db.action('DELETE FROM notifiers WHERE id = ?', [notifier_id])
+        result = monitor_db.action('DELETE FROM notifiers WHERE id = ?',
+                                   args=[notifier_id])
        return True
    else:
        return False