github/plexpy
1
0
Fork 0
mirror of https://github.com/Tautulli/Tautulli.git synced 2025-07-14 17:22:56 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix to make queries safe

Browse source
This commit is contained in:
JonnyWong16 2017-03-31 09:37:22 -07:00
parent a612de52f9
commit 0a493b9349
2 changed files with 17 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
plexpy/mobile_app.py
View file

@ -21,16 +21,20 @@ import logger
def get_mobile_devices(device_id=None, device_token=None): def get_mobile_devices(device_id=None, device_token=None):
where = where_id = where_token = '' where = where_id = where_token = ''
args = []
if device_id or device_token: if device_id or device_token:
where = 'WHERE ' where = 'WHERE '
if device_id: if device_id:
where_id += 'device_id = "%s"' % device_id where_id += 'device_id = ?'
args.append(device_id)
if device_token: if device_token:
where_token = 'device_token = "%s"' % device_token where_token = 'device_token = ?'
args.append(device_token)
where += ' AND '.join([w for w in [where_id, where_token] if w]) where += ' AND '.join([w for w in [where_id, where_token] if w])
monitor_db = database.MonitorDatabase() monitor_db = database.MonitorDatabase()
result = monitor_db.select('SELECT * FROM mobile_devices %s' % where) result = monitor_db.select('SELECT * FROM mobile_devices %s' % where, args=args)
return result return result
@ -40,7 +44,7 @@ def delete_mobile_device(device_id=None):
if device_id: if device_id:
logger.debug(u"PlexPy Notifiers :: Deleting device_id %s from the database." % device_id) logger.debug(u"PlexPy Notifiers :: Deleting device_id %s from the database." % device_id)
result = monitor_db.action('DELETE FROM mobile_devices WHERE device_id = ?', [device_id]) result = monitor_db.action('DELETE FROM mobile_devices WHERE device_id = ?', args=[device_id])
return True return True
else: else:
return False return False

13
plexpy/notifiers.py
View file

@ -362,17 +362,21 @@ def get_notifiers(notifier_id=None, notify_action=None):
notify_actions = get_notify_actions() notify_actions = get_notify_actions()
where = where_id = where_action = '' where = where_id = where_action = ''
args = []
if notifier_id or notify_action: if notifier_id or notify_action:
where = 'WHERE ' where = 'WHERE '
if notifier_id: if notifier_id:
where_id += 'notifier_id = %s' % notifier_id where_id += 'notifier_id = ?'
args.append(notifier_id)
if notify_action and notify_action in notify_actions: if notify_action and notify_action in notify_actions:
where_action = '%s = 1' % notify_action where_action = '%s = ?' % notify_action
args.append(1)
where += ' AND '.join([w for w in [where_id, where_action] if w]) where += ' AND '.join([w for w in [where_id, where_action] if w])
monitor_db = database.MonitorDatabase() monitor_db = database.MonitorDatabase()
result = monitor_db.select('SELECT id, agent_id, agent_name, agent_label, friendly_name, %s FROM notifiers %s' result = monitor_db.select('SELECT id, agent_id, agent_name, agent_label, friendly_name, %s FROM notifiers %s'
% (', '.join(notify_actions), where)) % (', '.join(notify_actions), where), args=args)
for item in result: for item in result:
item['active'] = int(any([item.pop(k) for k in item.keys() if k in notify_actions])) item['active'] = int(any([item.pop(k) for k in item.keys() if k in notify_actions]))
@ -385,7 +389,8 @@ def delete_notifier(notifier_id=None):
if str(notifier_id).isdigit(): if str(notifier_id).isdigit():
logger.debug(u"PlexPy Notifiers :: Deleting notifier_id %s from the database." % notifier_id) logger.debug(u"PlexPy Notifiers :: Deleting notifier_id %s from the database." % notifier_id)
result = monitor_db.action('DELETE FROM notifiers WHERE id = ?', [notifier_id]) result = monitor_db.action('DELETE FROM notifiers WHERE id = ?',
args=[notifier_id])
return True return True
else: else:
return False return False