Improve security in DB requests and connections overall

lukaqueres / Frequency

Discord bot with features including: planning, administration, and music playing.

http://theplanbot.com

GNU Affero General Public License v3.0

2 stars 0 forks source link

Improve security in DB requests and connections overall #15

Open lukaqueres opened 2 years ago

lukaqueres commented 2 years ago

Because of huge security problem with SELECTs in code, featuring in-string variable passing please edit this, as fallows in article

https://www.psycopg.org/docs/usage.html#the-problem-with-the-query-parameters

lukaqueres commented 2 years ago

Edit: There is an idea of function detecting SQL code passed as attribute, it coud display special message in such cases

kocielnik commented 2 years ago

Lemme help!

lukaqueres commented 2 years ago

Well

This sucks but there is still error.

In functions.py

File "/app/discord_bot/cogs/message_check.py", line 314, in on_message database_record = get_database_data('servers_properties', 'message_check_feature', guild_id) File "/app/discord_bot/functions.py", line 34, in get_database_data cur.execute(psycopg2.errors.SyntaxError: syntax error at or near "'servers_properties'" LINE 1: SELECT 'message_check_feature' from 'servers_properties' WHE...