[chronojump-server] Uses Mysql placeholders instead of concatenating strings.

From: Carles Pina i Estany <carlespina src gnome org>
To: commits-list gnome org
Cc:
Subject: [chronojump-server] Uses Mysql placeholders instead of concatenating strings.
Date: Mon, 5 Jun 2017 19:47:47 +0000 (UTC)

commit 337b7b2d49f4be539b06da274488629c858050c5
Author: Carles Pina i Estany <carles pina cat>
Date:   Mon Jun 5 15:45:39 2017 -0400

    Uses Mysql placeholders instead of concatenating strings.
    
    To avoid:
    https://xkcd.com/327/

 main.py |    5 ++---
 1 files changed, 2 insertions(+), 3 deletions(-)
---
diff --git a/main.py b/main.py
index 6dbee7c..9145f28 100755
--- a/main.py
+++ b/main.py
@@ -110,9 +110,8 @@ def getPersonByRFID():
 
     (con, cur) = connect_db(cursorclass=MySQLdb.cursors.DictCursor)
 
-    selectStr = "SELECT * FROM person where rfid = \"" + rfid + "\""
-    print(selectStr)
-    cur.execute(selectStr)
+    cur.execute("SELECT * FROM person where rfid = %s", (rfid, ))
+    print(cur._last_executed)
     people = cur.fetchall()
 
     assert len(people) >= 1

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]