From 719b41035d721cdd5f4e0faced88534af2619980 Mon Sep 17 00:00:00 2001
From: Artem Tarasov
Date: Mon, 22 Jun 2015 00:06:52 +0300
Subject: fixed a few potential security issues

---
 wqflask/base/data_set.py | 16 +++++++++-------
 wqflask/base/trait.py    |  9 +++++----
 2 files changed, 14 insertions(+), 11 deletions(-)

(limited to 'wqflask/base')

diff --git a/wqflask/base/data_set.py b/wqflask/base/data_set.py
index acfee3d4..14a2a388 100755
--- a/wqflask/base/data_set.py
+++ b/wqflask/base/data_set.py
@@ -805,11 +805,11 @@ class PhenotypeDataSet(DataSet):
                     WHERE
                             PublishXRef.InbredSetId = PublishFreeze.InbredSetId AND
                             PublishData.Id = PublishXRef.DataId AND PublishXRef.Id = %s AND
-                            PublishFreeze.Id = %d AND PublishData.StrainId = Strain.Id
+                            PublishFreeze.Id = %s AND PublishData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (trait, self.id)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query, (trait, self.id)).fetchall()
         return results
 
 
@@ -892,15 +892,17 @@ class GenotypeDataSet(DataSet):
                     left join GenoSE on
                             (GenoSE.DataId = GenoData.Id AND GenoSE.StrainId = GenoData.StrainId)
                     WHERE
-                            Geno.SpeciesId = %s AND Geno.Name = '%s' AND GenoXRef.GenoId = Geno.Id AND
+                            Geno.SpeciesId = %s AND Geno.Name = %s AND GenoXRef.GenoId = Geno.Id AND
                             GenoXRef.GenoFreezeId = GenoFreeze.Id AND
-                            GenoFreeze.Name = '%s' AND
+                            GenoFreeze.Name = %s AND
                             GenoXRef.DataId = GenoData.Id AND
                             GenoData.StrainId = Strain.Id
                     Order BY
                             Strain.Name
-                    """ % (webqtlDatabaseFunction.retrieve_species_id(self.group.name), trait, self.name)
-        results = g.db.execute(query).fetchall()
+                    """
+        results = g.db.execute(query,
+                               (webqtlDatabaseFunction.retrieve_species_id(self.group.name),
+                                trait, self.name)).fetchall()
         return results
 
 
diff --git a/wqflask/base/trait.py b/wqflask/base/trait.py
index 7f1170a9..7689a469 100755
--- a/wqflask/base/trait.py
+++ b/wqflask/base/trait.py
@@ -299,6 +299,7 @@ class GeneralTrait(object):
                     """ % (self.name, self.dataset.id)
             
             print("query is:", query)        
+            assert self.name.isdigit()
         
             trait_info = g.db.execute(query).fetchone()
         #XZ, 05/08/2009: Xiaodong add this block to use ProbeSet.Id to find the probeset instead of just using ProbeSet.Name
@@ -337,10 +338,10 @@ class GeneralTrait(object):
             trait_info = g.db.execute(query).fetchone()
             #print("trait_info is: ", pf(trait_info))
         else: #Temp type
-            query = """SELECT %s FROM %s WHERE Name = %s
-                                     """ % (string.join(self.dataset.display_fields,','),
-                                            self.dataset.type, self.name)
-            trait_info = g.db.execute(query).fetchone()
+            query = """SELECT %s FROM %s WHERE Name = %s"""
+            trait_info = g.db.execute(query,
+                                      (string.join(self.dataset.display_fields,','),
+                                                   self.dataset.type, self.name)).fetchone()
         if trait_info:
             self.haveinfo = True
 
-- 
cgit v1.2.3