Merge pull request #77 from lomereiter/fix_sql

SQL security fixes

4 files changed, 16 insertions, 29 deletions

diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py
index acfee3d4..14a2a388 100755
--- a/wqflask/base/data_set.py
+++ b/wqflask/base/data_set.py
@@ -805,11 +805,11 @@ class PhenotypeDataSet(DataSet):
                     WHERE
                             PublishXRef.InbredSetId = PublishFreeze.InbredSetId AND
                             PublishData.Id = PublishXRef.DataId AND PublishXRef.Id = %s AND
-                            PublishFreeze.Id = %d AND PublishData.StrainId = Strain.Id
+                            PublishFreeze.Id = %s AND PublishData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (trait, self.id)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query, (trait, self.id)).fetchall()
         return results
 
 
@@ -892,15 +892,17 @@ class GenotypeDataSet(DataSet):
                     left join GenoSE on
                             (GenoSE.DataId = GenoData.Id AND GenoSE.StrainId = GenoData.StrainId)
                     WHERE
-                            Geno.SpeciesId = %s AND Geno.Name = '%s' AND GenoXRef.GenoId = Geno.Id AND
+                            Geno.SpeciesId = %s AND Geno.Name = %s AND GenoXRef.GenoId = Geno.Id AND
                             GenoXRef.GenoFreezeId = GenoFreeze.Id AND
-                            GenoFreeze.Name = '%s' AND
+                            GenoFreeze.Name = %s AND
                             GenoXRef.DataId = GenoData.Id AND
                             GenoData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (webqtlDatabaseFunction.retrieve_species_id(self.group.name), trait, self.name)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query,
+                               (webqtlDatabaseFunction.retrieve_species_id(self.group.name),
+                                trait, self.name)).fetchall()
         return results
 
 
diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py
index 7f1170a9..7689a469 100755
--- a/wqflask/base/trait.py
+++ b/wqflask/base/trait.py
@@ -299,6 +299,7 @@ class GeneralTrait(object):
                     """ % (self.name, self.dataset.id)
             
             print("query is:", query)        
+            assert self.name.isdigit()
         
             trait_info = g.db.execute(query).fetchone()
         #XZ, 05/08/2009: Xiaodong add this block to use ProbeSet.Id to find the probeset instead of just using ProbeSet.Name
@@ -337,10 +338,10 @@ class GeneralTrait(object):
             trait_info = g.db.execute(query).fetchone()
             #print("trait_info is: ", pf(trait_info))
         else: #Temp type
-            query = """SELECT %s FROM %s WHERE Name = %s
-                                     """ % (string.join(self.dataset.display_fields,','),
-                                            self.dataset.type, self.name)
-            trait_info = g.db.execute(query).fetchone()
+            query = """SELECT %s FROM %s WHERE Name = %s"""
+            trait_info = g.db.execute(query,
+                                      (string.join(self.dataset.display_fields,','),
+                                                   self.dataset.type, self.name)).fetchone()
         if trait_info:
             self.haveinfo = True
 
diff --git a/wqflask/utility/webqtlUtil.py b/wqflask/utility/webqtlUtil.py
index 4d7981d9..4b3d0112 100755
--- a/wqflask/utility/webqtlUtil.py
+++ b/wqflask/utility/webqtlUtil.py
@@ -880,22 +880,6 @@ def cmpGenoPos(A,B):
     except:
         return 0
 
-#XZhou: Must use "BINARY" to enable case sensitive comparison.
-def authUser(name,password,db, encrypt=None):
-    try:
-        if encrypt:
-            query = 'SELECT privilege, id,name,password, grpName FROM User WHERE name= BINARY \'%s\' and password= BINARY \'%s\'' % (name,password)
-        else:
-            query = 'SELECT privilege, id,name,password, grpName FROM User WHERE name= BINARY \'%s\' and password= BINARY SHA(\'%s\')' % (name,password)
-        db.execute(query)
-        records = db.fetchone()
-        if not records:
-            raise ValueError
-        return records#(privilege,id,name,password,grpName)
-    except:
-        return (None, None, None, None, None)
-
-
 def hasAccessToConfidentialPhenotypeTrait(privilege, userName, authorized_users):
     access_to_confidential_phenotype_trait = 0
     if webqtlConfig.USERDICT[privilege] > webqtlConfig.USERDICT['user']:
diff --git a/wqflask/wqflask/docs.py b/wqflask/wqflask/docs.py
index 07b0b81a..a8363a1f 100755
--- a/wqflask/wqflask/docs.py
+++ b/wqflask/wqflask/docs.py
@@ -8,9 +8,9 @@ class Docs(object):
         sql = """
             SELECT Docs.title, Docs.content
             FROM Docs
-            WHERE Docs.entry LIKE '%s'
+            WHERE Docs.entry LIKE %s
             """
-        result = g.db.execute(sql % (entry)).fetchone()
+        result = g.db.execute(sql, str(entry)).fetchone()
         self.entry = entry
         self.title = result[0]
         self.content = result[1]