From 793c1fa130b162252af74e21f103d2fa4d215fa3 Mon Sep 17 00:00:00 2001
From: XD-DENG <xd_deng@hotmail.com>
Date: Tue, 17 Apr 2018 22:09:38 +0800
Subject: [PATCH] 1. use .encode(); 2. use placeholder for SQL INSERT

1. this makes the code able to run on both Python 2 and 3 (previous version only support 2);

2. Use placeholder to prepare SQL INSERT statement. This is much more proper than using .format to prepare the statement. One obvious advantage is it can handle single/double quotations marks very perfectly. The previou version will fail if there is single quotation mark in the values that I'm going to insert.
---
 app.py      |  2 +-
 database.py | 13 +++++--------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/app.py b/app.py
index b566f80..18f8197 100644
--- a/app.py
+++ b/app.py
@@ -118,7 +118,7 @@ def FUN_upload_image():
         if file and allowed_file(file.filename):
             filename = secure_filename(file.filename)
             upload_time = str(datetime.datetime.now())
-            image_uid = hashlib.sha1(upload_time + filename).hexdigest()
+            image_uid = hashlib.sha1((upload_time + filename).encode()).hexdigest()
             # Save the image into UPLOAD_FOLDER
             file.save(os.path.join(app.config['UPLOAD_FOLDER'], image_uid + "-" + filename))
             # Record this uploading in database
diff --git a/database.py b/database.py
index 81400fe..5113dc7 100644
--- a/database.py
+++ b/database.py
@@ -22,7 +22,7 @@ def verify(id, pw):
     _c = _conn.cursor()
 
     _c.execute("select pw from users where id = '" + id + "';")
-    result = _c.fetchone()[0] == hashlib.sha256(pw).hexdigest()
+    result = _c.fetchone()[0] == hashlib.sha256(pw.encode()).hexdigest()
     
     _conn.close()
 
@@ -55,8 +55,7 @@ def add_user(id, pw):
     _conn = sqlite3.connect(user_db_file_location)
     _c = _conn.cursor()
 
-    command = "insert into users values('" + id.upper() + "', '" + hashlib.sha256(pw).hexdigest() + "');" 
-    _c.execute(command)
+    _c.execute("insert into users values(?, ?)", (id.upper(), hashlib.sha256(pw.encode()).hexdigest()))
     
     _conn.commit()
     _conn.close()
@@ -93,8 +92,7 @@ def write_note_into_db(id, note_to_write):
     _c = _conn.cursor()
 
     current_timestamp = str(datetime.datetime.now())
-    command = u"insert into notes values('{0}', '{1}', '{2}', '{3}');".format(id.upper(), current_timestamp, note_to_write, hashlib.sha1(id.upper() + current_timestamp).hexdigest())
-    _c.execute(command)
+    _c.execute("insert into notes values(?, ?, ?, ?)", (id.upper(), current_timestamp, note_to_write, hashlib.sha1((id.upper() + current_timestamp).encode()).hexdigest()))
 
     _conn.commit()
     _conn.close()
@@ -113,8 +111,7 @@ def image_upload_record(uid, owner, image_name, timestamp):
     _conn = sqlite3.connect(image_db_file_location)
     _c = _conn.cursor()
 
-    command = "insert into images values ('{0}', '{1}', '{2}', '{3}');".format(uid, owner, image_name, timestamp)
-    _c.execute(command)
+    _c.execute("insert into images values (?, ?, ?, ?)", (uid, owner, image_name, timestamp))
 
     _conn.commit()
     _conn.close()
@@ -163,4 +160,4 @@ def delete_image_from_db(image_uid):
 
 
 if __name__ == "__main__":
-    print list_users()
\ No newline at end of file
+    print(list_users())
\ No newline at end of file