From 719b41035d721cdd5f4e0faced88534af2619980 Mon Sep 17 00:00:00 2001
From: Artem Tarasov
Date: Mon, 22 Jun 2015 00:06:52 +0300
Subject: fixed a few potential security issues

---
 wqflask/base/trait.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'wqflask/base/trait.py')

diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py
index 7f1170a9..7689a469 100755
--- a/wqflask/base/trait.py
+++ b/wqflask/base/trait.py
@@ -299,6 +299,7 @@ class GeneralTrait(object):
                     """ % (self.name, self.dataset.id)
             
             print("query is:", query)        
+            assert self.name.isdigit()
         
             trait_info = g.db.execute(query).fetchone()
         #XZ, 05/08/2009: Xiaodong add this block to use ProbeSet.Id to find the probeset instead of just using ProbeSet.Name
@@ -337,10 +338,10 @@ class GeneralTrait(object):
             trait_info = g.db.execute(query).fetchone()
             #print("trait_info is: ", pf(trait_info))
         else: #Temp type
-            query = """SELECT %s FROM %s WHERE Name = %s
-                                     """ % (string.join(self.dataset.display_fields,','),
-                                            self.dataset.type, self.name)
-            trait_info = g.db.execute(query).fetchone()
+            query = """SELECT %s FROM %s WHERE Name = %s"""
+            trait_info = g.db.execute(query,
+                                      (string.join(self.dataset.display_fields,','),
+                                                   self.dataset.type, self.name)).fetchone()
         if trait_info:
             self.haveinfo = True
 
-- 
cgit v1.2.3