Merge pull request #77 from lomereiter/fix_sql

SQL security fixes
author: zsloan 2015-06-29 10:37:20 -0500
committer: zsloan 2015-06-29 10:37:20 -0500
commit: b8152f98f0d9c2a1ec0d73145a4670153b60a307 (patch)
tree: f2e419a375b87a361c9288a9defd7bb46fade4b2 /wqflask/base/data_set.py
parent: 1353414114b9595a1b207ae4da28e5e725edc550 (diff)
parent: a41f9323ea5b86be6d2139a927586630b222af68 (diff)
download: genenetwork2-b8152f98f0d9c2a1ec0d73145a4670153b60a307.tar.gz
1 files changed, 9 insertions, 7 deletions
diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py
index acfee3d4..14a2a388 100755
--- a/wqflask/base/data_set.py
+++ b/wqflask/base/data_set.py
@@ -805,11 +805,11 @@ class PhenotypeDataSet(DataSet):
                     WHERE
                             PublishXRef.InbredSetId = PublishFreeze.InbredSetId AND
                             PublishData.Id = PublishXRef.DataId AND PublishXRef.Id = %s AND
-                            PublishFreeze.Id = %d AND PublishData.StrainId = Strain.Id
+                            PublishFreeze.Id = %s AND PublishData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (trait, self.id)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query, (trait, self.id)).fetchall()
         return results
 
 
@@ -892,15 +892,17 @@ class GenotypeDataSet(DataSet):
                     left join GenoSE on
                             (GenoSE.DataId = GenoData.Id AND GenoSE.StrainId = GenoData.StrainId)
                     WHERE
-                            Geno.SpeciesId = %s AND Geno.Name = '%s' AND GenoXRef.GenoId = Geno.Id AND
+                            Geno.SpeciesId = %s AND Geno.Name = %s AND GenoXRef.GenoId = Geno.Id AND
                             GenoXRef.GenoFreezeId = GenoFreeze.Id AND
-                            GenoFreeze.Name = '%s' AND
+                            GenoFreeze.Name = %s AND
                             GenoXRef.DataId = GenoData.Id AND
                             GenoData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (webqtlDatabaseFunction.retrieve_species_id(self.group.name), trait, self.name)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query,
+                               (webqtlDatabaseFunction.retrieve_species_id(self.group.name),
+                                trait, self.name)).fetchall()
         return results
author	zsloan	2015-06-29 10:37:20 -0500
committer	zsloan	2015-06-29 10:37:20 -0500
commit	b8152f98f0d9c2a1ec0d73145a4670153b60a307 (patch)
tree	f2e419a375b87a361c9288a9defd7bb46fade4b2 /wqflask/base/data_set.py
parent	1353414114b9595a1b207ae4da28e5e725edc550 (diff)
parent	a41f9323ea5b86be6d2139a927586630b222af68 (diff)
download	genenetwork2-b8152f98f0d9c2a1ec0d73145a4670153b60a307.tar.gz