kaku/PyGetGPT
1
0
Fork 0
mirror of https://github.com/Kakune55/PyGetGPT.git synced 2025-05-06 18:29:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

解决了因为字符串拼接可能导致的SQL注入问题

Browse Source
This commit is contained in:
Kakune55 2023-12-13 08:18:46 +08:00
parent f85cf254ca
commit 316a07a85f
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
db.py
View File

@ -12,7 +12,7 @@ def userSurplus(userkey):
cursor = db.cursor() cursor = db.cursor()
# 使用 execute() 方法执行 SQL 查询 # 使用 execute() 方法执行 SQL 查询
cursor.execute(f"SELECT surplus FROM usersurplus WHERE userkey = '{userkey}';") cursor.execute(f"SELECT surplus FROM usersurplus WHERE userkey = %s;",[userkey])
# 使用 fetchone() 方法获取单条数据. # 使用 fetchone() 方法获取单条数据.
data = cursor.fetchone() data = cursor.fetchone()
@ -34,7 +34,7 @@ def reduce_value(userkey, value): # 减去对应的值
cursor = db.cursor() cursor = db.cursor()
# 执行 SQL 查询以获取当前值 # 执行 SQL 查询以获取当前值
cursor.execute(f"SELECT surplus FROM usersurplus WHERE userkey = '{userkey}';") cursor.execute(f"SELECT surplus FROM usersurplus WHERE userkey = %s;",[userkey])
current_value = cursor.fetchone()[0] current_value = cursor.fetchone()[0]
# 如果没有找到用户,则返回错误信息 # 如果没有找到用户,则返回错误信息
@ -46,7 +46,7 @@ def reduce_value(userkey, value): # 减去对应的值
new_value = current_value - value new_value = current_value - value
# 更新数据库中的值 # 更新数据库中的值
cursor.execute(f"UPDATE usersurplus SET surplus={new_value} WHERE userkey='{userkey}'") cursor.execute(f"UPDATE usersurplus SET surplus= %s WHERE userkey=%s",[new_value,userkey])
# 提交事务 # 提交事务
db.commit() db.commit()