diff options
author | zsloan | 2015-06-29 10:37:20 -0500 |
---|---|---|
committer | zsloan | 2015-06-29 10:37:20 -0500 |
commit | b8152f98f0d9c2a1ec0d73145a4670153b60a307 (patch) | |
tree | f2e419a375b87a361c9288a9defd7bb46fade4b2 | |
parent | 1353414114b9595a1b207ae4da28e5e725edc550 (diff) | |
parent | a41f9323ea5b86be6d2139a927586630b222af68 (diff) | |
download | genenetwork2-b8152f98f0d9c2a1ec0d73145a4670153b60a307.tar.gz |
Merge pull request #77 from lomereiter/fix_sql
SQL security fixes
-rwxr-xr-x | wqflask/base/data_set.py | 16 | ||||
-rwxr-xr-x | wqflask/base/trait.py | 9 | ||||
-rwxr-xr-x | wqflask/utility/webqtlUtil.py | 16 | ||||
-rwxr-xr-x | wqflask/wqflask/docs.py | 4 |
4 files changed, 16 insertions, 29 deletions
diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py index acfee3d4..14a2a388 100755 --- a/wqflask/base/data_set.py +++ b/wqflask/base/data_set.py @@ -805,11 +805,11 @@ class PhenotypeDataSet(DataSet): WHERE PublishXRef.InbredSetId = PublishFreeze.InbredSetId AND PublishData.Id = PublishXRef.DataId AND PublishXRef.Id = %s AND - PublishFreeze.Id = %d AND PublishData.StrainId = Strain.Id + PublishFreeze.Id = %s AND PublishData.StrainId = Strain.Id Order BY Strain.Name - """ % (trait, self.id) - results = g.db.execute(query).fetchall() + """ + results = g.db.execute(query, (trait, self.id)).fetchall() return results @@ -892,15 +892,17 @@ class GenotypeDataSet(DataSet): left join GenoSE on (GenoSE.DataId = GenoData.Id AND GenoSE.StrainId = GenoData.StrainId) WHERE - Geno.SpeciesId = %s AND Geno.Name = '%s' AND GenoXRef.GenoId = Geno.Id AND + Geno.SpeciesId = %s AND Geno.Name = %s AND GenoXRef.GenoId = Geno.Id AND GenoXRef.GenoFreezeId = GenoFreeze.Id AND - GenoFreeze.Name = '%s' AND + GenoFreeze.Name = %s AND GenoXRef.DataId = GenoData.Id AND GenoData.StrainId = Strain.Id Order BY Strain.Name - """ % (webqtlDatabaseFunction.retrieve_species_id(self.group.name), trait, self.name) - results = g.db.execute(query).fetchall() + """ + results = g.db.execute(query, + (webqtlDatabaseFunction.retrieve_species_id(self.group.name), + trait, self.name)).fetchall() return results diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py index 7f1170a9..7689a469 100755 --- a/wqflask/base/trait.py +++ b/wqflask/base/trait.py @@ -299,6 +299,7 @@ class GeneralTrait(object): """ % (self.name, self.dataset.id) print("query is:", query) + assert self.name.isdigit() trait_info = g.db.execute(query).fetchone() #XZ, 05/08/2009: Xiaodong add this block to use ProbeSet.Id to find the probeset instead of just using ProbeSet.Name @@ -337,10 +338,10 @@ class GeneralTrait(object): trait_info = g.db.execute(query).fetchone() #print("trait_info is: ", pf(trait_info)) else: #Temp type - query = """SELECT %s FROM %s WHERE Name = %s - """ % (string.join(self.dataset.display_fields,','), - self.dataset.type, self.name) - trait_info = g.db.execute(query).fetchone() + query = """SELECT %s FROM %s WHERE Name = %s""" + trait_info = g.db.execute(query, + (string.join(self.dataset.display_fields,','), + self.dataset.type, self.name)).fetchone() if trait_info: self.haveinfo = True diff --git a/wqflask/utility/webqtlUtil.py b/wqflask/utility/webqtlUtil.py index 4d7981d9..4b3d0112 100755 --- a/wqflask/utility/webqtlUtil.py +++ b/wqflask/utility/webqtlUtil.py @@ -880,22 +880,6 @@ def cmpGenoPos(A,B): except: return 0 -#XZhou: Must use "BINARY" to enable case sensitive comparison. -def authUser(name,password,db, encrypt=None): - try: - if encrypt: - query = 'SELECT privilege, id,name,password, grpName FROM User WHERE name= BINARY \'%s\' and password= BINARY \'%s\'' % (name,password) - else: - query = 'SELECT privilege, id,name,password, grpName FROM User WHERE name= BINARY \'%s\' and password= BINARY SHA(\'%s\')' % (name,password) - db.execute(query) - records = db.fetchone() - if not records: - raise ValueError - return records#(privilege,id,name,password,grpName) - except: - return (None, None, None, None, None) - - def hasAccessToConfidentialPhenotypeTrait(privilege, userName, authorized_users): access_to_confidential_phenotype_trait = 0 if webqtlConfig.USERDICT[privilege] > webqtlConfig.USERDICT['user']: diff --git a/wqflask/wqflask/docs.py b/wqflask/wqflask/docs.py index 07b0b81a..a8363a1f 100755 --- a/wqflask/wqflask/docs.py +++ b/wqflask/wqflask/docs.py @@ -8,9 +8,9 @@ class Docs(object): sql = """ SELECT Docs.title, Docs.content FROM Docs - WHERE Docs.entry LIKE '%s' + WHERE Docs.entry LIKE %s """ - result = g.db.execute(sql % (entry)).fetchone() + result = g.db.execute(sql, str(entry)).fetchone() self.entry = entry self.title = result[0] self.content = result[1] |