[chronojump-server] Uses Mysql placeholders instead of concatenating the query by hand.
- From: Carles Pina i Estany <carlespina src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [chronojump-server] Uses Mysql placeholders instead of concatenating the query by hand.
- Date: Mon, 5 Jun 2017 19:52:59 +0000 (UTC)
commit a2bdffe8a6c3c8fcfe8f265a4890b1983b8dd8f0
Author: Carles Pina i Estany <carles pina cat>
Date: Mon Jun 5 15:52:03 2017 -0400
Uses Mysql placeholders instead of concatenating the query by hand.
To avoid:
https://xkcd.com/327/
main.py | 10 ++++------
1 files changed, 4 insertions(+), 6 deletions(-)
---
diff --git a/main.py b/main.py
index 9145f28..008a97a 100755
--- a/main.py
+++ b/main.py
@@ -129,9 +129,8 @@ def getTasks():
(con, cur) = connect_db()
- selectStr = "SELECT task.id, task.comment FROM task, person WHERE person.id = \"" + personId + "\" AND
person.id = task.personId AND done = 0";
- print(selectStr)
- cur.execute(selectStr)
+ cur.execute("SELECT task.id, task.comment FROM task, person WHERE person.id = %s AND person.id =
task.personId AND done = 0", (personId, ))
+ print(cur._last_executed)
tasks = cur.fetchall()
# for task in tasks:
@@ -156,9 +155,8 @@ def updateTask():
#print(taskId)
#print(done)
- sqlStr = "UPDATE task SET done = \"" + str(done) + "\" WHERE id = \"" + str(taskId) + "\"";
- print(sqlStr)
- cur.execute(sqlStr)
+ cur.execute("UPDATE task SET done = %s WHERE id = %s", (done, taskId))
+ print(cur._last_executed)
con.commit()
return Response("", 202)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
