1 files changed, 27 insertions, 13 deletions

diff --git a/cgi/framework.py b/cgi/framework.py
index 5277df0..e2af143 100644
--- a/cgi/framework.py
+++ b/cgi/framework.py
@@ -4,7 +4,6 @@ import cgi
 import datetime
 import time
 import hashlib
-import pickle
 import socket
 import urllib.request, urllib.parse, urllib.error
 import re
@@ -38,6 +37,14 @@ def setBoard(dir):
     return board
 
 
+def str2boards(sstr):
+    return sstr.split(',')
+
+
+def boards2str(boards):
+    return ','.join(boards)
+
+
 def cleanDir(path, ext=None):
     if ext:
         filelist = [f for f in os.listdir(path) if f.endswith("." + ext)]
@@ -49,14 +56,14 @@ def cleanDir(path, ext=None):
 
 
 def addressIsBanned(ip, board, blind_only=False):
-    query = "SELECT * FROM `bans` WHERE INET6_ATON('"+str(ip)+"') BETWEEN `ipstart` AND `ipend`"
+    query = "SELECT * FROM `bans` WHERE INET6_ATON(%s) BETWEEN `ipstart` AND `ipend`"
     if blind_only:
         query += " AND `blind` = '1'"
-    bans = FetchAll(query)
+    bans = FetchAll(query, (ip,))
     for ban in bans:
-        if ban["boards"] != "":
-            boards = pickle.loads(ban["boards"])
-        if ban["boards"] == "" or board in boards:
+        if ban["boards"]:
+            boards = str2boards(ban["boards"])
+        if not ban["boards"] or board in boards:
             if board not in Settings.EXCLUDE_GLOBAL_BANS:
                 return True
     return False
@@ -140,15 +147,22 @@ def updateBoardSettings():
     Pickle the board's settings and store it in the configuration field
     """
     board = Settings._.BOARD
-    #UpdateDb("UPDATE `boards` SET `configuration` = '%s' WHERE `id` = %s LIMIT 1" % (_mysql.escape_string(configuration), board["id"]))
-
+    
     del board["filetypes"]
     del board["filetypes_ext"]
-    post_values = ["`" + _mysql.escape_string(str(key)) + "` = '" + _mysql.escape_string(
-        str(value)) + "'" for key, value in board.items()]
-
-    UpdateDb("UPDATE `boards` SET %s WHERE `id` = '%s' LIMIT 1" %
-             (", ".join(post_values), board["id"]))
+    
+    sql = "UPDATE `boards` SET "
+    keys = []
+    values = []
+    for k, v in board.items():
+        keys.append("`" + k + "` = %s")
+        values.append(v)
+
+    sql += ", ".join(keys)
+    sql += " WHERE `id` = %s LIMIT 1"
+    values.append(board["id"])
+    
+    UpdateDb(sql, values)
 
 
 def timestamp(t=None):