Use prepared statements for FETCH sql function

author: BonfaceKilz 2021-06-03 21:45:25 +0300
committer: BonfaceKilz 2021-06-03 21:58:31 +0300
commit: bef67489908e28c170e28cde637627c17a0d1db7 (patch)
tree: 1c1c6e321edda9aa1c8a8fcb8fe605f397182d35 /gn3/db
parent: 9a07a39e943a406152b10eda984d5949223cef47 (diff)
download: genenetwork3-bef67489908e28c170e28cde637627c17a0d1db7.tar.gz
1 files changed, 4 insertions, 4 deletions
diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py
index d62b575..fea43ec 100644
--- a/gn3/db/__init__.py
+++ b/gn3/db/__init__.py
@@ -66,14 +66,14 @@ def fetchone(conn: Any,
     """Run a SELECT on a table. Returns only one result!"""
     if not any(astuple(where)):
         return None
+    where_ = {k: v for k, v in asdict(where).items()
+              if v is not None and k in TABLEMAP[table]}
     sql = f"SELECT * FROM {table} "
     sql += "WHERE "
     sql += " AND ".join(f"{TABLEMAP[table].get(k)} = "
-                        f"'{escape_string(str(v)).decode('utf-8')}'" for
-                        k, v in asdict(where).items()
-                        if v is not None and k in TABLEMAP[table])
+                        "%s" for k in where_.keys())
     with conn.cursor() as cursor:
-        cursor.execute(sql)
+        cursor.execute(sql, tuple(where_.values()))
         return DATACLASSMAP[table](*cursor.fetchone())
author	BonfaceKilz	2021-06-03 21:45:25 +0300
committer	BonfaceKilz	2021-06-03 21:58:31 +0300
commit	bef67489908e28c170e28cde637627c17a0d1db7 (patch)
tree	1c1c6e321edda9aa1c8a8fcb8fe605f397182d35 /gn3/db
parent	9a07a39e943a406152b10eda984d5949223cef47 (diff)
download	genenetwork3-bef67489908e28c170e28cde637627c17a0d1db7.tar.gz