Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #538 from InvoxiPlayGames/master
Fix SQL injection
  • Loading branch information
barronwaffles committed Jul 11, 2020
2 parents 78ea738 + e35e0d0 commit f70eb21
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions gamespy/gs_database.py
Expand Up @@ -367,12 +367,12 @@ def update_profile(self, profileid, field):
Start replacing each field one by one.
TODO: Optimize this so it's done all in one update.
FIXME: Possible security issue due to embedding an unsanitized
string directly into the statement.
TODO: Check if other values than firstname/lastname are set using this
"""
with Transaction(self.conn) as tx:
q = "UPDATE users SET \"%s\" = ? WHERE profileid = ?"
tx.nonquery(q % field[0], (field[1], profileid))
if field[0] in ["firstname", "lastname"]:
with Transaction(self.conn) as tx:
q = "UPDATE users SET \"%s\" = ? WHERE profileid = ?"
tx.nonquery(q % field[0], (field[1], profileid))

# Session functions
# TODO: Cache session keys so we don't have to query the database every
Expand Down

0 comments on commit f70eb21

Please sign in to comment.