Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
from sys import argv
import psycopg2
def get_connection():
db_connect = psycopg2.connect(
host="localhost",
database="postgres",
user="postgres",
password="postgres",
)
db_connect.set_session(autocommit=True)
return db_connect
def is_admin(username: str) -> bool:
conn = get_connection()
with conn.cursor() as cursor:
# UNSECURE
cursor.execute("""SELECT admin FROM users WHERE username = '%s' """ % username)
# SECURE
#cursor.execute("""SELECT admin FROM users WHERE username = %(username)s """, {'username': username})
result = cursor.fetchone()
if result is None:
return False
admin, = result
return admin
if __name__ == "__main__":
username = str(argv[1])
# is_admin("'; update users set admin = 'true' where username = 'mallory'; select true; --")
print(username + " is an admin: " + str(is_admin(username)))