From 462399de435c01ad342fe95a1f741920cbe488b0 Mon Sep 17 00:00:00 2001
From: Silas Bartha <silas@exvacuum.dev>
Date: Wed, 12 Feb 2025 18:55:47 -0500
Subject: made API more injection-resistant (lmao)

---
 api/api.py   |  12 ++++++------
 api/forum.db | Bin 20480 -> 0 bytes
 2 files changed, 6 insertions(+), 6 deletions(-)
 delete mode 100644 api/forum.db

(limited to 'api')

diff --git a/api/api.py b/api/api.py
index f5fd677..3b74bfc 100644
--- a/api/api.py
+++ b/api/api.py
@@ -71,16 +71,16 @@ def remove_message():
     cur = db.cursor()
     token = request.form['token']
     message_id = request.form['message_id']
-    res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'")
+    res = cur.execute("SELECT user_id FROM user WHERE token= ?", (token,))
     res = res.fetchone()
     if res is not None:
         (user_id,) = res
-        res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'")
+        res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,))
         res = res.fetchone()
         if res is not None:
             (message_id, message_user_id) = res
             if message_user_id == user_id:
-                cur.execute(f"DELETE FROM message WHERE message_id='{message_id}'")
+                cur.execute("DELETE FROM message WHERE message_id= ?", (message_id,))
                 db.commit()
                 return Response(status=HTTPStatus.NO_CONTENT)
             else:
@@ -97,16 +97,16 @@ def edit_message():
     token = request.form['token']
     message_id = request.form['message_id']
     new_message = request.form['message']
-    res = cur.execute(f"SELECT user_id FROM user WHERE token='{token}'")
+    res = cur.execute("SELECT user_id FROM user WHERE token = ?", (token,))
     res = res.fetchone()
     if res is not None and new_message is not None:
         (user_id,) = res
-        res = cur.execute(f"SELECT message_id, user_id FROM message WHERE message_id='{message_id}'")
+        res = cur.execute("SELECT message_id, user_id FROM message WHERE message_id= ?", (message_id,))
         res = res.fetchone()
         if res is not None:
             (message_id, message_user_id) = res
             if message_user_id == user_id:
-                cur.execute(f"UPDATE message SET message = '{new_message}' WHERE message_id='{message_id}'");
+                cur.execute("UPDATE message SET message = ? WHERE message_id= ?", (new_message, message_id));
                 db.commit()
                 return Response(status=HTTPStatus.NO_CONTENT)
             else:
diff --git a/api/forum.db b/api/forum.db
deleted file mode 100644
index ef88bf9..0000000
Binary files a/api/forum.db and /dev/null differ
-- 
cgit v1.2.3