aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBonfaceKilz2021-06-03 21:45:25 +0300
committerzsloan2021-06-18 22:08:04 +0000
commit8210c46fde908b8815ab97f2f91039f87365369b (patch)
tree4c3719b55077e5b8e94d179cb8622a8b8e949277
parentd769bfcc38a14720fa888e2b7c0ff874cc91f6a2 (diff)
downloadgenenetwork3-8210c46fde908b8815ab97f2f91039f87365369b.tar.gz
Use prepared statements for FETCH sql function
-rw-r--r--gn3/db/__init__.py8
-rw-r--r--tests/unit/db/test_phenotypes.py3
2 files changed, 6 insertions, 5 deletions
diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py
index d62b575..fea43ec 100644
--- a/gn3/db/__init__.py
+++ b/gn3/db/__init__.py
@@ -66,14 +66,14 @@ def fetchone(conn: Any,
"""Run a SELECT on a table. Returns only one result!"""
if not any(astuple(where)):
return None
+ where_ = {k: v for k, v in asdict(where).items()
+ if v is not None and k in TABLEMAP[table]}
sql = f"SELECT * FROM {table} "
sql += "WHERE "
sql += " AND ".join(f"{TABLEMAP[table].get(k)} = "
- f"'{escape_string(str(v)).decode('utf-8')}'" for
- k, v in asdict(where).items()
- if v is not None and k in TABLEMAP[table])
+ "%s" for k in where_.keys())
with conn.cursor() as cursor:
- cursor.execute(sql)
+ cursor.execute(sql, tuple(where_.values()))
return DATACLASSMAP[table](*cursor.fetchone())
diff --git a/tests/unit/db/test_phenotypes.py b/tests/unit/db/test_phenotypes.py
index 21eb757..824d186 100644
--- a/tests/unit/db/test_phenotypes.py
+++ b/tests/unit/db/test_phenotypes.py
@@ -61,7 +61,8 @@ class TestPhenotypes(TestCase):
self.assertEqual(phenotype.pre_pub_description,
"Test pre-publication")
cursor.execute.assert_called_once_with(
- "SELECT * FROM Phenotype WHERE id = '35' AND Owner = 'Rob'")
+ "SELECT * FROM Phenotype WHERE id = %s AND Owner = %s",
+ (35, 'Rob'))
def test_diff_from_dict(self):
"""Test that a correct diff is generated"""