Fix to make queries safe

2025-07-14 17:22:56 -07:00 · 2017-03-31 09:37:22 -07:00 · 2017-03-31 09:37:22 -07:00 · 0a493b9349
commit 0a493b9349
parent a612de52f9
2 changed files with 17 additions and 8 deletions
--- a/plexpy/mobile_app.py
+++ b/plexpy/mobile_app.py
@ -21,16 +21,20 @@ import logger

 def get_mobile_devices(device_id=None, device_token=None):
    where = where_id = where_token = ''
+    args = []
+
    if device_id or device_token:
        where = 'WHERE '
        if device_id:
-            where_id += 'device_id = "%s"' % device_id
+            where_id += 'device_id = ?'
+            args.append(device_id)
        if device_token:
-            where_token = 'device_token = "%s"' % device_token
+            where_token = 'device_token = ?'
+            args.append(device_token)
        where += ' AND '.join([w for w in [where_id, where_token] if w])

    monitor_db = database.MonitorDatabase()
-    result = monitor_db.select('SELECT * FROM mobile_devices %s' % where)
+    result = monitor_db.select('SELECT * FROM mobile_devices %s' % where, args=args)

    return result

@ -40,7 +44,7 @@ def delete_mobile_device(device_id=None):

    if device_id:
        logger.debug(u"PlexPy Notifiers :: Deleting device_id %s from the database." % device_id)
-        result = monitor_db.action('DELETE FROM mobile_devices WHERE device_id = ?', [device_id])
+        result = monitor_db.action('DELETE FROM mobile_devices WHERE device_id = ?', args=[device_id])
        return True
    else:
        return False
--- a/plexpy/notifiers.py
+++ b/plexpy/notifiers.py
@ -362,17 +362,21 @@ def get_notifiers(notifier_id=None, notify_action=None):
    notify_actions = get_notify_actions()

    where = where_id = where_action = ''
+    args = []
+
    if notifier_id or notify_action:
        where = 'WHERE '
        if notifier_id:
-            where_id += 'notifier_id = %s' % notifier_id
+            where_id += 'notifier_id = ?'
+            args.append(notifier_id)
        if notify_action and notify_action in notify_actions:
-            where_action = '%s = 1' % notify_action
+            where_action = '%s = ?' % notify_action
+            args.append(1)
        where += ' AND '.join([w for w in [where_id, where_action] if w])

    monitor_db = database.MonitorDatabase()
    result = monitor_db.select('SELECT id, agent_id, agent_name, agent_label, friendly_name, %s FROM notifiers %s'
-                               % (', '.join(notify_actions), where))
+                               % (', '.join(notify_actions), where), args=args)
    
    for item in result:
        item['active'] = int(any([item.pop(k) for k in item.keys() if k in notify_actions]))
@ -385,7 +389,8 @@ def delete_notifier(notifier_id=None):

    if str(notifier_id).isdigit():
        logger.debug(u"PlexPy Notifiers :: Deleting notifier_id %s from the database." % notifier_id)
-        result = monitor_db.action('DELETE FROM notifiers WHERE id = ?', [notifier_id])
+        result = monitor_db.action('DELETE FROM notifiers WHERE id = ?',
+                                   args=[notifier_id])
        return True
    else:
        return False