cyberpresidentvanellope/fulpstation
1
0
Fork 0
mirror of https://github.com/fulpstation/fulpstation.git synced 2025-12-09 07:54:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Some injection fixes (#39642)

Browse Source 
Fixes a breaking error and possible injection exploit in
populate_key_2018-07-09.py caused by a key existing from when byond allowed now
blocked characters like ' in usernames e.g.
http://www.byond.com/members/immortaljrosh?format=text

Additionally fixes some unsanitized values in other queries.
This commit is contained in:
Jordie
2018-08-13 07:09:45 +10:00
committed by Tad Hardesty
parent 72dc00e9f0
commit f8f1b6ca03
3 changed files with 16 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SQL/populate_key_2018-07-09.py
View File

@@ -78,7 +78,7 @@ for current_ckey in ckey_list:
else:
print(msg)
continue
cursor.execute("UPDATE {0} SET byond_key = \'{1}\' WHERE ckey = \'{2}\'".format(player_table, key, current_ckey[0]))
cursor.execute("UPDATE {0} SET byond_key = %s WHERE ckey = %s".format(player_table), (key, current_ckey[0]))
db.commit()
end_time = datetime.now()
print("Script completed at {0} with duration {1}".format(datetime.now().strftime("%Y-%m-%d %H:%M:%S"), end_time - start_time))