diff options
| author | BonfaceKilz | 2021-06-03 21:38:58 +0300 |
|---|---|---|
| committer | zsloan | 2021-06-18 22:08:04 +0000 |
| commit | 4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc (patch) | |
| tree | cbc3ffb79d91d8231cadeaf5d07a549f34ac78cf /gn3/db/__init__.py | |
| parent | de834809dbf5f054a5f75c35dbee653cac8311f3 (diff) | |
| download | genenetwork3-4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc.tar.gz | |
Use prepared statements for UPDATE sql function
Diffstat (limited to 'gn3/db/__init__.py')
| -rw-r--r-- | gn3/db/__init__.py | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py index 8b6bf73..ce92a7d 100644 --- a/gn3/db/__init__.py +++ b/gn3/db/__init__.py @@ -43,18 +43,20 @@ def update(conn: Any, """Run an UPDATE on a table""" if not (any(astuple(data)) and any(astuple(where))): return None + data_ = {k: v for k, v in asdict(data).items() + if v is not None and k in TABLEMAP[table]} + where_ = {k: v for k, v in asdict(where).items() + if v is not None and k in TABLEMAP[table]} sql = f"UPDATE {table} SET " sql += ", ".join(f"{TABLEMAP[table].get(k)} " - f"= '{escape_string(str(v)).decode('utf-8')}'" for - k, v in asdict(data).items() - if v is not None and k in TABLEMAP[table]) + "= %s" for k in data_.keys()) sql += " WHERE " sql += " AND ".join(f"{TABLEMAP[table].get(k)} = " - f"'{escape_string(str(v)).decode('utf-8')}'" for - k, v in asdict(where).items() - if v is not None and k in TABLEMAP[table]) + "%s" for k in where_.keys()) with conn.cursor() as cursor: - cursor.execute(sql) + cursor.execute(sql, + tuple(data_.values()) + tuple(where_.values())) + conn.commit() return cursor.rowcount |