Merge pull request #351 from Steve-Tech/main

Fix SQL injection/error - thanks @Steve-Tech 🙏
2025-12-07 09:36:05 -08:00 · 2023-08-13 15:25:49 +10:00
parent 11f341366b 29fc5c669d
commit 988a323757
1 changed files with 2 additions and 2 deletions
--- a/pialert/plugin.py
+++ b/pialert/plugin.py
@@ -514,10 +514,10 @@ def process_plugin_events(db, plugin, pluginsState):

            sql.execute ("INSERT INTO Plugins_Objects (Plugin, Object_PrimaryID, Object_SecondaryID, DateTimeCreated, DateTimeChanged, Watched_Value1, Watched_Value2, Watched_Value3, Watched_Value4, Status, Extra, UserData, ForeignKey) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)", (plugObj.pluginPref, plugObj.primaryId , plugObj.secondaryId , createdTime, plugObj.changed , plugObj.watched1 , plugObj.watched2 , plugObj.watched3 , plugObj.watched4 , plugObj.status , plugObj.extra, plugObj.userData, plugObj.foreignKey ))    
        else:
-            sql.execute (f"UPDATE Plugins_Objects set Plugin = '{plugObj.pluginPref}', DateTimeChanged = '{plugObj.changed}', Watched_Value1 = '{plugObj.watched1}', Watched_Value2 = '{plugObj.watched2}', Watched_Value3 = '{plugObj.watched3}', Watched_Value4 = '{plugObj.watched4}', Status = '{plugObj.status}', Extra = '{plugObj.extra}', ForeignKey = '{plugObj.foreignKey}' WHERE \"Index\" = {plugObj.index}")            
+            sql.execute ("UPDATE Plugins_Objects set Plugin = ?, DateTimeChanged = ?, Watched_Value1 = ?, Watched_Value2 = ?, Watched_Value3 = ?, Watched_Value4 = ?, Status = ?, Extra = ?, ForeignKey = ? WHERE \"Index\" = ?", (plugObj.pluginPref, plugObj.changed, plugObj.watched1, plugObj.watched2, plugObj.watched3, plugObj.watched4, plugObj.status, plugObj.extra, plugObj.foreignKey, plugObj.index))

    # Update the Plugins_Events with the new statuses    
-    sql.execute (f'DELETE FROM Plugins_Events where Plugin = "{pluginPref}"')
+    sql.execute ('DELETE FROM Plugins_Events where Plugin = ?', pluginPref)

    for plugObj in pluginEvents: