about summary refs log tree commit diff
path: root/gn3/db/__init__.py
diff options
context:
space:
mode:
authorBonfaceKilz2021-06-03 21:38:58 +0300
committerzsloan2021-06-18 22:08:04 +0000
commit4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc (patch)
treecbc3ffb79d91d8231cadeaf5d07a549f34ac78cf /gn3/db/__init__.py
parentde834809dbf5f054a5f75c35dbee653cac8311f3 (diff)
downloadgenenetwork3-4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc.tar.gz
Use prepared statements for UPDATE sql function
Diffstat (limited to 'gn3/db/__init__.py')
-rw-r--r--gn3/db/__init__.py16
1 files changed, 9 insertions, 7 deletions
diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py
index 8b6bf73..ce92a7d 100644
--- a/gn3/db/__init__.py
+++ b/gn3/db/__init__.py
@@ -43,18 +43,20 @@ def update(conn: Any,
     """Run an UPDATE on a table"""
     if not (any(astuple(data)) and any(astuple(where))):
         return None
+    data_ = {k: v for k, v in asdict(data).items()
+             if v is not None and k in TABLEMAP[table]}
+    where_ = {k: v for k, v in asdict(where).items()
+              if v is not None and k in TABLEMAP[table]}
     sql = f"UPDATE {table} SET "
     sql += ", ".join(f"{TABLEMAP[table].get(k)} "
-                     f"= '{escape_string(str(v)).decode('utf-8')}'" for
-                     k, v in asdict(data).items()
-                     if v is not None and k in TABLEMAP[table])
+                     "= %s" for k in data_.keys())
     sql += " WHERE "
     sql += " AND ".join(f"{TABLEMAP[table].get(k)} = "
-                        f"'{escape_string(str(v)).decode('utf-8')}'" for
-                        k, v in asdict(where).items()
-                        if v is not None and k in TABLEMAP[table])
+                        "%s" for k in where_.keys())
     with conn.cursor() as cursor:
-        cursor.execute(sql)
+        cursor.execute(sql,
+                       tuple(data_.values()) + tuple(where_.values()))
+        conn.commit()
         return cursor.rowcount