From 526fe5381a2d26dd5269553e2fa648e6827030ad Mon Sep 17 00:00:00 2001 From: Artem Tarasov Date: Thu, 18 Jun 2015 21:13:13 +0300 Subject: removed unused function --- wqflask/utility/webqtlUtil.py | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/wqflask/utility/webqtlUtil.py b/wqflask/utility/webqtlUtil.py index 4d7981d9..4b3d0112 100755 --- a/wqflask/utility/webqtlUtil.py +++ b/wqflask/utility/webqtlUtil.py @@ -880,22 +880,6 @@ def cmpGenoPos(A,B): except: return 0 -#XZhou: Must use "BINARY" to enable case sensitive comparison. -def authUser(name,password,db, encrypt=None): - try: - if encrypt: - query = 'SELECT privilege, id,name,password, grpName FROM User WHERE name= BINARY \'%s\' and password= BINARY \'%s\'' % (name,password) - else: - query = 'SELECT privilege, id,name,password, grpName FROM User WHERE name= BINARY \'%s\' and password= BINARY SHA(\'%s\')' % (name,password) - db.execute(query) - records = db.fetchone() - if not records: - raise ValueError - return records#(privilege,id,name,password,grpName) - except: - return (None, None, None, None, None) - - def hasAccessToConfidentialPhenotypeTrait(privilege, userName, authorized_users): access_to_confidential_phenotype_trait = 0 if webqtlConfig.USERDICT[privilege] > webqtlConfig.USERDICT['user']: -- cgit v1.2.3 From 719b41035d721cdd5f4e0faced88534af2619980 Mon Sep 17 00:00:00 2001 From: Artem Tarasov Date: Mon, 22 Jun 2015 00:06:52 +0300 Subject: fixed a few potential security issues --- wqflask/base/data_set.py | 16 +++++++++------- wqflask/base/trait.py | 9 +++++---- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py index acfee3d4..14a2a388 100755 --- a/wqflask/base/data_set.py +++ b/wqflask/base/data_set.py @@ -805,11 +805,11 @@ class PhenotypeDataSet(DataSet): WHERE PublishXRef.InbredSetId = PublishFreeze.InbredSetId AND PublishData.Id = PublishXRef.DataId AND PublishXRef.Id = %s AND - PublishFreeze.Id = %d AND PublishData.StrainId = Strain.Id + PublishFreeze.Id = %s AND PublishData.StrainId = Strain.Id Order BY Strain.Name - """ % (trait, self.id) - results = g.db.execute(query).fetchall() + """ + results = g.db.execute(query, (trait, self.id)).fetchall() return results @@ -892,15 +892,17 @@ class GenotypeDataSet(DataSet): left join GenoSE on (GenoSE.DataId = GenoData.Id AND GenoSE.StrainId = GenoData.StrainId) WHERE - Geno.SpeciesId = %s AND Geno.Name = '%s' AND GenoXRef.GenoId = Geno.Id AND + Geno.SpeciesId = %s AND Geno.Name = %s AND GenoXRef.GenoId = Geno.Id AND GenoXRef.GenoFreezeId = GenoFreeze.Id AND - GenoFreeze.Name = '%s' AND + GenoFreeze.Name = %s AND GenoXRef.DataId = GenoData.Id AND GenoData.StrainId = Strain.Id Order BY Strain.Name - """ % (webqtlDatabaseFunction.retrieve_species_id(self.group.name), trait, self.name) - results = g.db.execute(query).fetchall() + """ + results = g.db.execute(query, + (webqtlDatabaseFunction.retrieve_species_id(self.group.name), + trait, self.name)).fetchall() return results diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py index 7f1170a9..7689a469 100755 --- a/wqflask/base/trait.py +++ b/wqflask/base/trait.py @@ -299,6 +299,7 @@ class GeneralTrait(object): """ % (self.name, self.dataset.id) print("query is:", query) + assert self.name.isdigit() trait_info = g.db.execute(query).fetchone() #XZ, 05/08/2009: Xiaodong add this block to use ProbeSet.Id to find the probeset instead of just using ProbeSet.Name @@ -337,10 +338,10 @@ class GeneralTrait(object): trait_info = g.db.execute(query).fetchone() #print("trait_info is: ", pf(trait_info)) else: #Temp type - query = """SELECT %s FROM %s WHERE Name = %s - """ % (string.join(self.dataset.display_fields,','), - self.dataset.type, self.name) - trait_info = g.db.execute(query).fetchone() + query = """SELECT %s FROM %s WHERE Name = %s""" + trait_info = g.db.execute(query, + (string.join(self.dataset.display_fields,','), + self.dataset.type, self.name)).fetchone() if trait_info: self.haveinfo = True -- cgit v1.2.3 From a41f9323ea5b86be6d2139a927586630b222af68 Mon Sep 17 00:00:00 2001 From: Artem Tarasov Date: Mon, 22 Jun 2015 00:30:50 +0300 Subject: escape docs query --- wqflask/wqflask/docs.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wqflask/wqflask/docs.py b/wqflask/wqflask/docs.py index 07b0b81a..a8363a1f 100755 --- a/wqflask/wqflask/docs.py +++ b/wqflask/wqflask/docs.py @@ -8,9 +8,9 @@ class Docs(object): sql = """ SELECT Docs.title, Docs.content FROM Docs - WHERE Docs.entry LIKE '%s' + WHERE Docs.entry LIKE %s """ - result = g.db.execute(sql % (entry)).fetchone() + result = g.db.execute(sql, str(entry)).fetchone() self.entry = entry self.title = result[0] self.content = result[1] -- cgit v1.2.3