Save db from SQL injections

a5549907 · Vasyl Bodnaruk · ecf4a02a · a5549907
Commit a5549907 authored Jul 14, 2017 by Vasyl Bodnaruk
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

views.py esi/scraper/views.py +10 -1

No files found.
--- a/esi/scraper/views.py
+++ b/esi/scraper/views.py
@@ -74,7 +74,7 @@ class NewJobCreateView(CreateView):
    def post(self, request, *args, **kwargs):
        name = request.POST.get('name')
        spider = Spider.objects.get(pk=request.POST.get('spider'))
-        query = request.POST.get('query')
+        query = self._validate_query(request.POST.get('query'))
        job = Job.objects.create(name=name, spider=spider, query=query)
        interval = request.POST.get('interval')
        if interval:
@@ -85,6 +85,15 @@ class NewJobCreateView(CreateView):

        return HttpResponseRedirect(reverse('job_list'))

+    def _validate_query(self, query):
+        block = [';', 'in', 'select']
+        if any(ext in query for ext in block):
+            print('Query is blocked')
+            return None
+        else:
+            return query
+
+

 @method_decorator(login_required, name='dispatch')
 class EditJobView(UpdateView):