修改了参数化查询功能，防止sql注入攻击篡改数据，之前是只能保护数据机密性，不能保证完整性

TheBattleCar/.idea/.name

@@ -0,0 +1 @@
+app.py

TheBattleCar/.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="$PROJECT_DIR$/.." vcs="Git" />
+  </component>
+</project>

TheBattleCar/app.py

@@ -165,6 +165,7 @@ def login():
         password = request.form['password']
         
         cursor = mysql.connection.cursor()
+        # 使用参数化查询检查用户是否存在
         cursor.execute("SELECT * FROM users WHERE username = %s AND password = %s", (username, password))
         user_data = cursor.fetchone()
         cursor.close()
@@ -189,19 +190,30 @@ def login():
     return render_template('login.html')
 
 # 处理数据库语句
-def con_my_sql(sql_code):
+def con_my_sql(sql_code, params=None):
     try:
+        # 尝试连接数据库
         conn.ping(reconnect=True)
-        cursor= conn.cursor(pymysql.cursors.DictCursor)
-        cursor.execute(sql_code)
+        # 创建游标对象，结果以字典形式返回
+        cursor = conn.cursor(pymysql.cursors.DictCursor)
+        # 如果传入了参数，使用参数化查询
+        if params:
+            cursor.execute(sql_code, params)
+        else:
+            cursor.execute(sql_code)
+        # 提交事务
         conn.commit()
-        conn.close()
+        # 返回游标对象
         return cursor
     except pymysql.MySQLError as err_massage:
+        # 捕获异常，回滚事务
         conn.rollback()
+        # 关闭连接
         conn.close()
+        # 返回异常类型和异常信息
         return type(err_massage), err_massage
-    
+        
+        
 class RegisterForm(Form):
     captcha = StringField(validators=[Length(min=4,max=4,message='校验码格式错误')])
     username = StringField(validators=[Length(min=3,max=10,message='用户名长度必须在3到10个字符之间')])
@@ -226,13 +238,16 @@ def register():
             # 静态注册码进行角色注册
             if captcha == "1111":
                 role = "侦查者"
-            if captcha == "2222":
+            elif captcha == "2222":
                 role = "指挥者"
-            if captcha == "3333":
+            elif captcha == "3333":
                 role = "攻击者"
+            else:
+                return '无效的校验码 <a href="/">返回登录</a>'
 
-            code = "select * from users where username = '%s'" % username
-            cursor_ans = con_my_sql(code)
+            # 使用参数化查询检查用户是否存在
+            code = "SELECT * FROM users WHERE username = %s"
+            cursor_ans = con_my_sql(code, (username,))
             cursor_select = cursor_ans.fetchall()
 
             if len(cursor_select) > 0:
@@ -240,8 +255,9 @@ def register():
             else:
                 # 加密密码
                 encrypted_password = encrypt_message(password)
-                code = "INSERT INTO users(username, password, role) VALUES('%s', '%s', '%s')" % (username, encrypted_password, role)
-                print(con_my_sql(code))
+                # 使用参数化查询插入新用户
+                code = "INSERT INTO users(username, password, role) VALUES(%s, %s, %s)"
+                con_my_sql(code, (username, encrypted_password, role))
                 return '注册成功 <a href="/">返回登录</a>'
         else:
             print(form.errors)

TheBattleCar/secret.key

@@ -1 +1 @@
-cykFDUsS45ugR2oQsP7rGPMkDQK6bXcTJ6HMBdHleuI=
+vnPkFMausWZGX3tSSFMlFJ1n-71Bzha67f_gK9TyklA=