Merge pull request #77 from lomereiter/fix_sql

SQL security fixes

1 files changed, 5 insertions, 4 deletions

diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py
index 7f1170a9..7689a469 100755
--- a/wqflask/base/trait.py
+++ b/wqflask/base/trait.py
@@ -299,6 +299,7 @@ class GeneralTrait(object):
                     """ % (self.name, self.dataset.id)
             
             print("query is:", query)        
+            assert self.name.isdigit()
         
             trait_info = g.db.execute(query).fetchone()
         #XZ, 05/08/2009: Xiaodong add this block to use ProbeSet.Id to find the probeset instead of just using ProbeSet.Name
@@ -337,10 +338,10 @@ class GeneralTrait(object):
             trait_info = g.db.execute(query).fetchone()
             #print("trait_info is: ", pf(trait_info))
         else: #Temp type
-            query = """SELECT %s FROM %s WHERE Name = %s
-                                     """ % (string.join(self.dataset.display_fields,','),
-                                            self.dataset.type, self.name)
-            trait_info = g.db.execute(query).fetchone()
+            query = """SELECT %s FROM %s WHERE Name = %s"""
+            trait_info = g.db.execute(query,
+                                      (string.join(self.dataset.display_fields,','),
+                                                   self.dataset.type, self.name)).fetchone()
         if trait_info:
             self.haveinfo = True