templates/footer.html

@@ -1,4 +1,4 @@
 <div id='footer'>
 	Note that Curious Greg uses a cookie to store your login state. Deleting the cookie used by Curious Greg will log you out of your account. Posting will still function as normal.<br />
-	Created by <a target="_blank" href='https://fedi.lynnesbian.space/@lynnesbian'>@lynnesbian@fedi.lynnesbian.space</a> (message her about any bugs you find). Source code is available <a target="_blank" href='https://git.lynnesbian.space/curious-greg'>here</a>, under the <a target="_blank" href='https://www.mozilla.org/en-US/MPL/2.0/'>Mozilla Public License Version 2.0</a>.
+	Created by <a href='https://fedi.lynnesbian.space/@lynnesbian'>@lynnesbian@fedi.lynnesbian.space</a> (message her about any bugs you find). Source code is available <a href='https://git.lynnesbian.space/curious-greg'>here</a>, under the <a href='https://www.mozilla.org/en-US/MPL/2.0/'>Mozilla Public License Version 2.0</a>.
 </div>

web.py

@@ -57,14 +57,14 @@ def home():
 			session['cc'] = "None"
 		if session['cc'] == "None":
 			#every time home is rendered without cc being set
-			c.execute("SELECT cc FROM `data` WHERE client_id LIKE %s AND instance LIKE %s", (session['client_id'], session['instance']))
+			cc = c.execute("SELECT cc FROM `data` WHERE client_id LIKE ? AND instance LIKE ?", (session['client_id'], session['instance'])).fetchone()[0]
-			cc = c.fetchone()[0]
 			if cc != '':
 				session['cc'] = cc
 		
 		if 'last_avi_update' not in session or session['last_avi_update'] + (24 * 60 * 60) < time.time():
-			#avatars haven't been updated for over 24 hours, update them now
+			#avatars haven't been updated for over 24 hours
-			client = Mastodon(client_id=session['client_id'], client_secret=session['client_secret'], access_token=session['secret'], api_base_url=session['instance'])
+			# avis = c.execute("SELECT avi, ccavi FROM `data` WHERE client_id LIKE ?", (session['client_id'],)).fetchone()
+			client = Mastodon(client_id=session['client_id'], client_secret=session['client_secret'], api_base_url=session['instance'])
 
 			session['avi'] = client.account_verify_credentials()['avatar']
 			if session['cc'] != None:
@@ -72,9 +72,9 @@ def home():
 				r = requests.get("https://curiouscat.me/api/v2/profile?username={}".format(session['cc']))
 				j = r.json()
 				session['ccavi'] = j['userData']['avatar']
-				c.execute("UPDATE data SET avi = %s, ccavi = %s WHERE client_id LIKE %s AND instance LIKE %s", (session['avi'], session['ccavi'], session['client_id'], session['instance']))
+				c.execute("UPDATE data SET avi = ?, ccavi = ? WHERE client_id LIKE ? AND instance LIKE ?", (session['avi'], session['ccavi'], session['client_id'], session['instance']))
 			else:
-				c.execute("UPDATE data SET avi = %s WHERE client_id LIKE %s AND instance LIKE %s", (session['avi'], session['client_id'], session['instance']))
+				c.execute("UPDATE data SET avi = ? WHERE client_id LIKE ? AND instance LIKE ?", (session['avi'], session['client_id'], session['instance']))
 		return render_template("home.html")
 	else:
 		return redirect(url_for('main'))
@@ -84,11 +84,6 @@ def home():
 def print_debug_info():
 	return json.dumps(session._get_current_object())
 
-@app.route('/reset') #TODO: ditto
-def reset_session():
-	session.clear()
-	return redirect(url_for('main'))
-
 @app.route('/login')
 def log_in():
 	if 'acct' in session:
@@ -128,14 +123,13 @@ def internal_auth_b():
 	session['username'] = acct_info['username']
 	session['avi'] = acct_info['avatar']
 	session['acct'] = "@{}@{}".format(session['username'], session['instance'].replace("https://", ""))
-	c.execute("SELECT COUNT(*) FROM data WHERE username LIKE %s AND instance LIKE %s", (session['username'], session['instance']))
+	if c.execute("SELECT COUNT(*) FROM data WHERE username LIKE ? AND instance LIKE ?", (session['username'], session['instance'])).fetchone()[0] > 0:
-	if c.fetchone()[0] > 0:
 		#user already has an account with CG
 		#update the user's info to use the new info we just got, then redirect them to the login page
-		c.execute("UPDATE data SET client_id = ?, client_secret = ?, secret = ?, avi = ? WHERE username LIKE %s AND instance LIKE %s", (session['client_id'], session['client_secret'], session['secret'], session['avi'], session['username'], session['instance']))
+		c.execute("UPDATE data SET client_id = ?, client_secret = ?, secret = ?, avi = ? WHERE username LIKE ? AND instance LIKE ?", (session['client_id'], session['client_secret'], session['secret'], session['avi'], session['username'], session['instance']))
 		return redirect(url_for('log_in'))
 	else:
-		return redirect(url_for('create_password'))
+		return redirect(url_for('home'))
 
 @app.route('/internal/do_login')
 def do_login():
@@ -144,7 +138,7 @@ def do_login():
 	acct = request.form['acct']
 	session['username'] = re.match("^@[^@]*", acct).group(0)
 	session['instance'] = "https://{}".format(re.search("@([^@]+)$", acct).group(1))
-	data = dc.execute("SELECT * FROM data WHERE username LIKE %s AND password LIKE %s", (session['username'], session['instance'])).fetch_one()
+	data = dc.execute("SELECT * FROM data WHERE username LIKE ? AND password LIKE ?", (session['username'], session['instance'])).fetch_one()
 	if bcrypt.checkpw(pw_hashed, data['password']):
 		#password is correct, log the user in
 		for item in ['username', 'instance', 'avi', 'secret', 'client_id', 'client_secret', 'cc', 'ccavi']:
@@ -155,15 +149,15 @@ def do_login():
 
 @app.route('/create_password')
 def create_password():
-	return render_template("create_password.html", bg = "background-image:url('{}')".format(session['avi']))
+	return render_template("create_password.html", bg = "\"background-image:url('{}')\"".format(session['avi']))
 
 @app.route('/internal/create_account', methods=['POST'])
 def create_account():
 	pw_in = request.form['pw']
-	if len(pw_in) < 6 or pw_in == 'password': #TODO: this is a pretty crappy check
+	if len(pw_in < 6) or pw_in == 'password':
 		return redirect('/create_password?invalid')
-	pw_hashed = hashlib.sha256(pw_in.encode('utf-8')).digest()
+	pw_hashed = hashlib.sha256(pw_in.encode('utf-8'))
 	pw = bcrypt.hashpw(pw_hashed, bcrypt.gensalt(15))
-	c.execute("INSERT INTO data (username, instance, avi, password, secret, client_id, client_secret) VALUES (%s, %s, %s, %s, %s, %s, %s)", (session['username'],  session['instance'], session['avi'], pw, session['secret'], session['client_id'], session['client_secret']))
+	c.execute("INSERT INTO data (username, instance, avi, password, secret, client_id, client_secret) VALUES (?, ?, ?, ?, ?)", (session['username'], pw, session['instance'],  session['secret'], session['client_id'], session['client_secret']))
 	db.commit()
 	return redirect(url_for('home'))