Skip to content
Snippets Groups Projects
Commit 4b85a5ee authored by Yannic Nevado Hidalgo's avatar Yannic Nevado Hidalgo
Browse files

Initial commit

parents
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
README.md 0 → 100644
+ 33
0
View file @ 4b85a5ee
# challenge-security-web-applications
## Datenbank, tabelle und Benutzer anlegen
Die Datenbank wird in einem PostgreSQL Docker Container erstellt, der über `docker-compose` gestartet wird.
```
# installieren der benötigten Python Pakete
pip install -r requirements.txt
# starten des containerisierten PostgreSQL Servers
docker-compose up
# Auf dem Server einloggen und sich mit der (default) Datenbank postgres verbinden
psql -h localhost -U postgres -d postgres
```
Im nächsten Schritt wird die Tabelle `users` angelegt und drei Benutzer hinzugefügt.
```sql
CREATE TABLE users (
username varchar(10),
admin boolean
);
INSERT INTO users
(username, admin)
VALUES
('alice', true),
('bob', false),
('mallory', false);
```
docker-compose.yml 0 → 100644
+ 12
0
View file @ 4b85a5ee
version: '3.1'
services:
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: postgres
ports:
- 5432:5432
\ No newline at end of file
main.py 0 → 100644
+ 38
0
View file @ 4b85a5ee
from sys import argv
import psycopg2
def get_connection():
db_connect = psycopg2.connect(
host="localhost",
database="postgres",
user="postgres",
password="postgres",
)
db_connect.set_session(autocommit=True)
return db_connect
def is_admin(username: str) -> bool:
conn = get_connection()
with conn.cursor() as cursor:
# UNSECURE
cursor.execute("""SELECT admin FROM users WHERE username = '%s' """ % username)
# SECURE
#cursor.execute("""SELECT admin FROM users WHERE username = %(username)s """, {'username': username})
result = cursor.fetchone()
if result is None:
return False
admin, = result
return admin
if __name__ == "__main__":
username = str(argv[1])
# is_admin("'; update users set admin = 'true' where username = 'mallory'; select true; --")
print(username + " is an admin: " + str(is_admin(username)))
\ No newline at end of file
requirements.txt 0 → 100644
+ 2
0
View file @ 4b85a5ee
psycopg2==2.9.3
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment