53 lines
1.3 KiB
Python
53 lines
1.3 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
"""SQL injection example"""
|
|
|
|
import sqlite3
|
|
|
|
from flask import Flask, jsonify, request
|
|
|
|
app: Flask = Flask(__name__)
|
|
|
|
|
|
def init_db() -> None:
|
|
"""Initialises the database"""
|
|
|
|
conn: sqlite3.Connection = sqlite3.connect("users.db")
|
|
c: sqlite3.Cursor = conn.cursor()
|
|
|
|
c.execute(
|
|
"""
|
|
CREATE TABLE IF NOT EXISTS users (
|
|
id INTEGER PRIMARY KEY AUTOINCREMENT,
|
|
username TEXT NOT NULL
|
|
)
|
|
"""
|
|
)
|
|
|
|
c.execute("DELETE FROM users")
|
|
c.execute("INSERT INTO users (username) VALUES ('alice')")
|
|
c.execute("INSERT INTO users (username) VALUES ('bob')")
|
|
c.execute("INSERT INTO users (username) VALUES ('charlie')")
|
|
|
|
conn.commit()
|
|
conn.close()
|
|
|
|
|
|
@app.get("/")
|
|
def index():
|
|
"""Index page"""
|
|
|
|
username: str = request.args.get("username", "")
|
|
query: str = f"SELECT * FROM users WHERE username = '{username}'"
|
|
print("Executing:", query)
|
|
conn: sqlite3.Connection = sqlite3.connect("users.db")
|
|
# cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
|
|
user: str = conn.execute(query).fetchall()
|
|
conn.close()
|
|
|
|
return jsonify(user) if user else ("User not found. Supply username= GET param.", 404)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
init_db()
|
|
app.run(debug=True)
|