import sqlite3
coon = sqlite3.connect('db.sqlite3')
cursor = coon.cursor()
'''
tablesName = {
'users':['id', 'username', "last_msg", "reports", "users_reports"],
'message': ['msg', 'val'],
'waiting': ['id'],
"chat_sessions": ["sessions", 'user_id', 'end_time'],
"sessions_messages":["session", "user_id", "msg_id", "msg_id_in_partner"]
}
for table in tablesName:
cursor.execute(f"""CREATE TABLE IF NOT EXISTS '{table}'( {','.join(tablesName.get(table))} )""")
coon.commit()
'''
# randomChat/db/row.py
# [ SQL INJECTION ] Right here .
def row(table_name:str, column:str, word:str, want='*'):
return cursor.execute(f"SELECT {want} FROM {table_name} WHERE {column}='{word}'")
'''
@@ The Right why to do this :
- return cursor.execute(f"SELECT {want} FROM {table_name} WHERE {column}=(?)", (word,))
'''
# randomChat/main.py
'''
text = message.text
command = text[1:]
msg = db.row("message", "msg", command, "val")
bot.reply_to(message, msg)
'''
command = "hello' or 1=1 --"
print([i for i in row("message", "msg", command)])
# OUTPUT : => [('hello', None), ('0xNullByte', None)] , all the Value of msg column .