Protect against SQL Injection

[dwhagar]

Still not sure how, though I know I have done some to protect against SQL Injection attacks, I'm not sure if it enough. Though this is just a user bot, and I use password hashing of course, I think I really need to try to harden the bot against such attacks.

[RodentOfUnusualSize]

Password hashing isn't really the issue. The issue is that there were several SQL statements assembled like this:

query = "DELETE FROM users WHERE uid IS '" + uid + "'"
db.execute(query)

If I could somehow control my UID to be ' OR true() OR ', that statement becomes:

DELETE FROM users WHERE uid IS '' OR true() OR ''

and I've just wiped out your users table.

I edited all the functions doing DB access to use prepared statements, like so:

query = "DELETE FROM users WHERE uid IS :uid"
db.execute(query, { "uid" : uid })

which is impossible to do an SQL injection into.

This is what PR #64 is about. (PR #64 also does other stuff, like using context managers for all DB functions to get safe commit-or-rollback semantics.)

[RodentOfUnusualSize]

PR #64 resolved all SQL injection issues in code that existed before it was branched, but some stuff was changed while it was being written.

So snowboard is not yet SQL-injection safe. I will fix the remaining stuff ASAP.