Corgea · asadeddin · Oct 9, 2025 · corgea · Nov 5, 2025 · Copilot
diff --git a/insecure-app/app.py b/insecure-app/app.py
@@ -46,7 +46,7 @@ def index():
             sql = request.form['sql']
-            sql = request.form['sql']
+            query_key = request.form['sql']
+            try:
+                # Execute the user's SQL query
+                # Execute an allowlisted, parameterized query instead of raw user SQL
+                allowed_queries = {
+                    'get_all_users': ("SELECT id, username FROM users", ()),
+                    'get_user_by_id': ("SELECT id, username FROM users WHERE id = ?", (int(request.form.get('id', -1)),)),
+                }
+                if query_key not in allowed_queries:
+                    raise ValueError("Unsupported query key")
-            sql = request.form['sql']
+            query_key = request.form['sql']
+            try:
+                # Execute the user's SQL query
+                # Execute an allowlisted, parameterized query instead of raw user SQL
+                allowed_queries = {
+                    'get_all_users': ("SELECT id, username FROM users", ()),
+                    'get_user_by_id': ("SELECT id, username FROM users WHERE id = ?", (int(request.form.get('id', -1)),)),
+                }
+                if query_key not in allowed_queries:
+                    raise ValueError("Unsupported query key")
             try:
                 # Execute the user's SQL query
-                cursor.execute(sql)
+                cursor.execute(sql) # SQL inecjtion
-                cursor.execute(sql) # SQL inecjtion
+                cursor.execute(sql) # SQL injection
-                cursor.execute(sql) # SQL inecjtion
+                cursor.execute(sql) # SQL injection
                 # Fetch all rows from the query result
                 rows = cursor.fetchall()
                 # Format the results for display