Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

Fix possible SQL injection vulnerability #51

Merged
merged 1 commit into from
Jan 11, 2024
Merged

Fix possible SQL injection vulnerability #51

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 30 additions & 18 deletions server/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,16 +3,14 @@
import sqlite3
from aiohttp import web

sys.path.insert(1, 'C:/Users/943602/Desktop/proj/sent/projo/Valuations')
sys.path.insert(1, 'C:/Users/943602/Desktop/proj/sent/projo')
sys.path.insert(1, 'C:/Users/943602/Desktop/proj/sent/projo/Sentiment')
sys.path.insert(1, 'C:/Users/943602/Desktop/proj/sent/projo/Sentiment/pcr')
sys.path.insert(1, 'C:/Users/943602/Desktop/proj/sent/projo/SWOT')
sys.path.insert(1, 'C:\Users\Dev.Juneja\Downloads\Fin-Maestro-Web\Valuations')
sys.path.insert(1, 'C:\Users\Dev.Juneja\Downloads\Fin-Maestro-Web\Sentiment')
sys.path.insert(1, 'C:\Users\Dev.Juneja\Downloads\Fin-Maestro-Web\Sentiment\pcr')
sys.path.insert(1, 'C:\Users\Dev.Juneja\Downloads\Fin-Maestro-Web\SWOT')
import json
import pcr_analyzer
import valuation_determiner
import swot_generator
# from news import fetchnews, analy

routes = web.RouteTableDef()

Expand Down Expand Up @@ -70,7 +68,11 @@ async def registerTrade(request):
print(data)
conn = sqlite3.connect('system.db')
cursor = conn.cursor()
cursor.execute(f"INSERT INTO TRADES VALUES ({data['id']}, '{data['tickerName']}', {data['type']}, '{data['enterPrice']}', '{data['exitPrice']}', {data['isOpen']})")

# Use parameterized query to avoid SQL injection
cursor.execute("INSERT INTO TRADES VALUES (?, ?, ?, ?, ?, ?)",
(data['id'], data['tickerName'], data['type'], data['enterPrice'], data['exitPrice'], data['isOpen']))

conn.commit()
conn.close()
return web.Response(text=json.dumps({"success": "inserted"}))
Expand All @@ -79,23 +81,33 @@ async def registerTrade(request):
async def valu(request):
conn = sqlite3.connect('system.db')
cursor = conn.cursor()
cursor.execute(f"UPDATE TRADES SET exitPrice={request.match_info['exitPrice']}, isOpen='0' WHERE id={request.match_info['tradeID']}")

# Use parameterized query to avoid SQL injection
exit_price = request.match_info['exitPrice']
trade_id = request.match_info['tradeID']

cursor.execute("UPDATE TRADES SET exitPrice=?, isOpen='0' WHERE id=?", (exit_price, trade_id))

conn.commit()
conn.close()
return web.Response(text=json.dumps({"success": "inserted"}))

@routes.get("/api/trades/{ticker}")
async def valu(request):
conn = sqlite3.connect('system.db')
cursor = conn.cursor()
cursor.execute(f"SELECT * FROM TRADES WHERE tickerName='{request.match_info['ticker']}'")
output = cursor.fetchall()
di = {"trades": []}
for row in output:
di["trades"].append(list(row))
async def valu(request):
conn = sqlite3.connect('system.db')
cursor = conn.cursor()

conn.commit()
conn.close()
# Use parameterized query to avoid SQL injection
ticker_name = request.match_info['ticker']
cursor.execute("SELECT * FROM TRADES WHERE tickerName=?", (ticker_name,))

output = cursor.fetchall()
di = {"trades": []}
for row in output:
di["trades"].append(list(row))

conn.commit()
conn.close()
return web.Response(text=json.dumps(di))


Expand Down
Loading