diff options
| author | Guillaume Horel <guillaume.horel@gmail.com> | 2018-11-23 18:39:05 -0500 |
|---|---|---|
| committer | Guillaume Horel <guillaume.horel@gmail.com> | 2018-11-23 18:39:31 -0500 |
| commit | 5e06cb0e1d4f4bcda2976a1daba6dbb4a3b011c7 (patch) | |
| tree | ed9fafb702b7e3089ec0a07cd9094bcc01400ab1 | |
| parent | a6fcd6e4408360b1beb565c93f8f96b2c94a1777 (diff) | |
| download | famille-flask-5e06cb0e1d4f4bcda2976a1daba6dbb4a3b011c7.tar.gz | |
bretelles et ceinture
On veut être sur qu'il n'y a pas d'injection sql possible à travers
le nom des colonnes, donc on utilise une whitelist.
| -rw-r--r-- | famille.py | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -269,8 +269,10 @@ def edit_user(): pass result['notify'] = "notify" in request.form - result.update({k: v for k, v in request.form.items() if k not in - ['password', 'password_confirm', 'notify']}) + for k in ["birthday", "nameday", "email", "phone", "adress_line1", + "adress_line2", "adress_city_line", "timezone"]: + if k in result.form: + result[k] = result.form[k] set_string = ",".join([f"{k}=?" for k in result.keys()]) sqlstr = f"UPDATE users SET {set_string} WHERE id=?" db = get_db() |