Fix sql queries

"%s" should only be used outside table names and column names
otherwise a string literal will be inserted thereby leading to errors
in the sql statements.

* wqflask/base/data_set.py (geno_mrna_confidentiality): Use f-strings
for table/columns/clause.
* wqflask/base/trait.py (retrieve_trait_info): Ditto.
* wqflask/wqflask/gsearch.py (GSearch.__init__): Ditto.
* wqflask/wqflask/interval_analyst/GeneUtil.py (loadGenes): Ditto.
* wqflask/wqflask/snp_browser/snp_browser.py
(SnpBrowser.get_browser_results): Ditto.

2 files changed, 9 insertions, 10 deletions

diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py
index aac8585e..470aa28b 100644
--- a/wqflask/base/data_set.py
+++ b/wqflask/base/data_set.py
@@ -1218,8 +1218,8 @@ def geno_mrna_confidentiality(ob):
     with database_connection() as conn, conn.cursor() as cursor:
         cursor.execute(
             "SELECT confidentiality, "
-            "AuthorisedUsers FROM %s WHERE Name = %s",
-            (f"{ob.type}Freeze", ob.name,)
+            f"AuthorisedUsers FROM {ob.type}Freeze WHERE Name = %s",
+            (ob.name,)
         )
         result = cursor.fetchall()[0]
         if result:
diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py
index 21575230..2ca34028 100644
--- a/wqflask/base/trait.py
+++ b/wqflask/base/trait.py
@@ -426,14 +426,13 @@ def retrieve_trait_info(trait, dataset, get_qtl_info=False):
                 display_fields_string = ', ProbeSet.'.join(dataset.display_fields)
                 display_fields_string = f'ProbeSet.{display_fields_string}'
                 cursor.execute(
-                    "SELECT %s FROM ProbeSet, ProbeSetFreeze, "
+                    f"SELECT {display_fields_string} FROM ProbeSet, ProbeSetFreeze, "
                     "ProbeSetXRef WHERE "
                     "ProbeSetXRef.ProbeSetFreezeId = ProbeSetFreeze.Id "
                     "AND ProbeSetXRef.ProbeSetId = ProbeSet.Id AND "
                     "ProbeSetFreeze.Name = %s AND "
                     "ProbeSet.Name = %s",
-                    (display_fields_string, dataset.name,
-                     str(trait.name),)
+                    (dataset.name, str(trait.name),)
                 )
                 trait_info = cursor.fetchone()
             # XZ, 05/08/2009: We also should use Geno.Id to find marker instead of just using Geno.Name
@@ -442,20 +441,20 @@ def retrieve_trait_info(trait, dataset, get_qtl_info=False):
                 display_fields_string = ',Geno.'.join(dataset.display_fields)
                 display_fields_string = f'Geno.{display_fields_string}'
                 cursor.execute(
-                    "SELECT %s FROM Geno, GenoFreeze, "
+                    f"SELECT {display_fields_string} FROM Geno, GenoFreeze, "
                     "GenoXRef WHERE "
                     "GenoXRef.GenoFreezeId = GenoFreeze.Id "
                     "AND GenoXRef.GenoId = Geno.Id "
                     "AND GenoFreeze.Name = %s "
                     "AND Geno.Name = %s",
-                    (display_fields_string, dataset.name, trait.name)
+                    (dataset.name, trait.name)
                 )
                 trait_info = cursor.fetchone()
             else:  # Temp type
                 cursor.execute(
-                    "SELECT %s FROM %s WHERE Name = %s",
-                    (','.join(dataset.display_fields),
-                     dataset.type, trait.name,)
+                    f"SELECT {','.join(dataset.display_fields)} "
+                    f"FROM {dataset.type} WHERE Name = %s",
+                    (trait.name,)
                 )
                 trait_info = cursor.fetchone()