From a7381d5257fbd8773379530e78346dfe87508779 Mon Sep 17 00:00:00 2001 From: Yannik <15837468+ComBeat@users.noreply.github.com> Date: Wed, 6 Mar 2024 00:10:42 +0100 Subject: [PATCH] Use prepared statements for SQL Delete commands (#17) --- database.py | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/database.py b/database.py index 4567f12..982626f 100644 --- a/database.py +++ b/database.py @@ -31,14 +31,14 @@ def verify(id, pw): def delete_user_from_db(id): _conn = sqlite3.connect(user_db_file_location) _c = _conn.cursor() - _c.execute("DELETE FROM users WHERE id = '" + id + "';") + _c.execute("DELETE FROM users WHERE id = ?;", (id)) _conn.commit() _conn.close() # when we delete a user FROM database USERS, we also need to delete all his or her notes data FROM database NOTES _conn = sqlite3.connect(note_db_file_location) _c = _conn.cursor() - _c.execute("DELETE FROM notes WHERE user = '" + id + "';") + _c.execute("DELETE FROM notes WHERE user = ?;", (id)) _conn.commit() _conn.close() @@ -47,7 +47,7 @@ def delete_user_from_db(id): # [2] delete all his or her images records FROM database IMAGES _conn = sqlite3.connect(image_db_file_location) _c = _conn.cursor() - _c.execute("DELETE FROM images WHERE owner = '" + id + "';") + _c.execute("DELETE FROM images WHERE owner = ?;", (id)) _conn.commit() _conn.close() @@ -101,8 +101,7 @@ def delete_note_from_db(note_id): _conn = sqlite3.connect(note_db_file_location) _c = _conn.cursor() - command = "DELETE FROM notes WHERE note_id = '" + note_id + "';" - _c.execute(command) + _c.execute("DELETE FROM notes WHERE note_id = ?;", (note_id)) _conn.commit() _conn.close() @@ -147,8 +146,7 @@ def delete_image_from_db(image_uid): _conn = sqlite3.connect(image_db_file_location) _c = _conn.cursor() - command = "DELETE FROM images WHERE uid = '" + image_uid + "';" - _c.execute(command) + _c.execute("DELETE FROM images WHERE uid = ?;", (image_uid)) _conn.commit() _conn.close()