aboutsummaryrefslogtreecommitdiff
path: root/gn3/db/__init__.py
diff options
context:
space:
mode:
authorBonfaceKilz2021-06-03 21:38:58 +0300
committerzsloan2021-06-18 22:08:04 +0000
commit4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc (patch)
treecbc3ffb79d91d8231cadeaf5d07a549f34ac78cf /gn3/db/__init__.py
parentde834809dbf5f054a5f75c35dbee653cac8311f3 (diff)
downloadgenenetwork3-4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc.tar.gz
Use prepared statements for UPDATE sql function
Diffstat (limited to 'gn3/db/__init__.py')
-rw-r--r--gn3/db/__init__.py16
1 files changed, 9 insertions, 7 deletions
diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py
index 8b6bf73..ce92a7d 100644
--- a/gn3/db/__init__.py
+++ b/gn3/db/__init__.py
@@ -43,18 +43,20 @@ def update(conn: Any,
"""Run an UPDATE on a table"""
if not (any(astuple(data)) and any(astuple(where))):
return None
+ data_ = {k: v for k, v in asdict(data).items()
+ if v is not None and k in TABLEMAP[table]}
+ where_ = {k: v for k, v in asdict(where).items()
+ if v is not None and k in TABLEMAP[table]}
sql = f"UPDATE {table} SET "
sql += ", ".join(f"{TABLEMAP[table].get(k)} "
- f"= '{escape_string(str(v)).decode('utf-8')}'" for
- k, v in asdict(data).items()
- if v is not None and k in TABLEMAP[table])
+ "= %s" for k in data_.keys())
sql += " WHERE "
sql += " AND ".join(f"{TABLEMAP[table].get(k)} = "
- f"'{escape_string(str(v)).decode('utf-8')}'" for
- k, v in asdict(where).items()
- if v is not None and k in TABLEMAP[table])
+ "%s" for k in where_.keys())
with conn.cursor() as cursor:
- cursor.execute(sql)
+ cursor.execute(sql,
+ tuple(data_.values()) + tuple(where_.values()))
+ conn.commit()
return cursor.rowcount