Update app.py

[asadeddin]

No description provided.

[corgea]

SQL Injection ( 🔴 High ) - The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. View in Corgea ↗

More Details

🎟️Issue Explanation: The code builds an SQL command using external input without proper checks, allowing attackers to change the query and access or harm the database.

- "cursor.execute(sql)" runs a command that likely includes unchecked user input, enabling SQL Injection.
- Attackers can insert SQL code, e.g., ' OR 1=1 --, to bypass authentication or extract data.
- This risks exposing sensitive data or corrupting the database since SQL commands aren’t safely handled.

🪄Fix Explanation: The fix mitigates SQL Injection by separating the SQL query from its parameters and passing them separately to "cursor.execute", ensuring user inputs are properly escaped and not executed as SQL code.
The original code directly interpolated user input with "cursor.execute(sql)", which allowed SQL injection.
The fix uses "cursor.execute(sql_query, sql_params)", parameterizing inputs to neutralize malicious SQL.
User inputs are split into query text "sql_query" and parameters "sql_params" via "request.form.get" and "getlist".
This approach relies on the DB-API's parameter substitution, which safely escapes inputs rather than concatenating strings.

💡Important Instructions: Ensure the client side sends parameters in the expected params[] format and verify query templates disallow unsafe constructs to prevent logic flaws or errors.

Suggested change

	cursor.execute(sql) #oh-o
	# Split user input into SQL text and parameters for safer execution

[corgea]

SQL Injection ( 🔴 Critical ) - The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. View in Corgea ↗

More Details

🎟️Issue Explanation: The code runs an SQL command built from outside input without properly cleaning it, allowing attackers to change the query's behavior.

- The "cursor.execute(sql)" runs the raw SQL string without filtering special characters like quotes or SQL keywords.
- An attacker can inject SQL code (e.g., "1; DROP TABLE users;") to manipulate or damage the database.
- This happens because the external input is directly inserted into "sql" without any validation or escaping.

We could not generate a fix for this.