diff options
author | BonfaceKilz | 2021-06-03 21:38:58 +0300 |
---|---|---|
committer | BonfaceKilz | 2021-06-03 21:58:31 +0300 |
commit | d0042a3cd95d164468a69ab17ee0c3adba5ea296 (patch) | |
tree | 1e83ff75290488937a7c670c897c0b194bbfaa34 /gn3/db | |
parent | 6d366086c0361c3f89d066cec78c5a69de9be155 (diff) | |
download | genenetwork3-d0042a3cd95d164468a69ab17ee0c3adba5ea296.tar.gz |
Use prepared statements for UPDATE sql function
Diffstat (limited to 'gn3/db')
-rw-r--r-- | gn3/db/__init__.py | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py index 8b6bf73..ce92a7d 100644 --- a/gn3/db/__init__.py +++ b/gn3/db/__init__.py @@ -43,18 +43,20 @@ def update(conn: Any, """Run an UPDATE on a table""" if not (any(astuple(data)) and any(astuple(where))): return None + data_ = {k: v for k, v in asdict(data).items() + if v is not None and k in TABLEMAP[table]} + where_ = {k: v for k, v in asdict(where).items() + if v is not None and k in TABLEMAP[table]} sql = f"UPDATE {table} SET " sql += ", ".join(f"{TABLEMAP[table].get(k)} " - f"= '{escape_string(str(v)).decode('utf-8')}'" for - k, v in asdict(data).items() - if v is not None and k in TABLEMAP[table]) + "= %s" for k in data_.keys()) sql += " WHERE " sql += " AND ".join(f"{TABLEMAP[table].get(k)} = " - f"'{escape_string(str(v)).decode('utf-8')}'" for - k, v in asdict(where).items() - if v is not None and k in TABLEMAP[table]) + "%s" for k in where_.keys()) with conn.cursor() as cursor: - cursor.execute(sql) + cursor.execute(sql, + tuple(data_.values()) + tuple(where_.values())) + conn.commit() return cursor.rowcount |