fixed a few potential security issues

author: Artem Tarasov 2015-06-22 00:06:52 +0300
committer: Artem Tarasov 2015-06-22 00:06:52 +0300
commit: 719b41035d721cdd5f4e0faced88534af2619980 (patch)
tree: 0472b8ff07b10bcb5880268965994c47b0d1efa9 /wqflask/base/data_set.py
parent: 526fe5381a2d26dd5269553e2fa648e6827030ad (diff)
download: genenetwork2-719b41035d721cdd5f4e0faced88534af2619980.tar.gz
1 files changed, 9 insertions, 7 deletions
diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py
index acfee3d4..14a2a388 100755
--- a/wqflask/base/data_set.py
+++ b/wqflask/base/data_set.py
@@ -805,11 +805,11 @@ class PhenotypeDataSet(DataSet):
                     WHERE
                             PublishXRef.InbredSetId = PublishFreeze.InbredSetId AND
                             PublishData.Id = PublishXRef.DataId AND PublishXRef.Id = %s AND
-                            PublishFreeze.Id = %d AND PublishData.StrainId = Strain.Id
+                            PublishFreeze.Id = %s AND PublishData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (trait, self.id)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query, (trait, self.id)).fetchall()
         return results
 
 
@@ -892,15 +892,17 @@ class GenotypeDataSet(DataSet):
                     left join GenoSE on
                             (GenoSE.DataId = GenoData.Id AND GenoSE.StrainId = GenoData.StrainId)
                     WHERE
-                            Geno.SpeciesId = %s AND Geno.Name = '%s' AND GenoXRef.GenoId = Geno.Id AND
+                            Geno.SpeciesId = %s AND Geno.Name = %s AND GenoXRef.GenoId = Geno.Id AND
                             GenoXRef.GenoFreezeId = GenoFreeze.Id AND
-                            GenoFreeze.Name = '%s' AND
+                            GenoFreeze.Name = %s AND
                             GenoXRef.DataId = GenoData.Id AND
                             GenoData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (webqtlDatabaseFunction.retrieve_species_id(self.group.name), trait, self.name)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query,
+                               (webqtlDatabaseFunction.retrieve_species_id(self.group.name),
+                                trait, self.name)).fetchall()
         return results
author	Artem Tarasov	2015-06-22 00:06:52 +0300
committer	Artem Tarasov	2015-06-22 00:06:52 +0300
commit	719b41035d721cdd5f4e0faced88534af2619980 (patch)
tree	0472b8ff07b10bcb5880268965994c47b0d1efa9 /wqflask/base/data_set.py
parent	526fe5381a2d26dd5269553e2fa648e6827030ad (diff)
download	genenetwork2-719b41035d721cdd5f4e0faced88534af2619980.tar.gz