From 4c9bbe6d4229b79a1bc62cf2f641fbc4c4f00abc Mon Sep 17 00:00:00 2001
From: BonfaceKilz
Date: Thu, 3 Jun 2021 21:38:58 +0300
Subject: Use prepared statements for UPDATE sql function

---
 gn3/db/__init__.py | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

(limited to 'gn3/db/__init__.py')

diff --git a/gn3/db/__init__.py b/gn3/db/__init__.py
index 8b6bf73..ce92a7d 100644
--- a/gn3/db/__init__.py
+++ b/gn3/db/__init__.py
@@ -43,18 +43,20 @@ def update(conn: Any,
     """Run an UPDATE on a table"""
     if not (any(astuple(data)) and any(astuple(where))):
         return None
+    data_ = {k: v for k, v in asdict(data).items()
+             if v is not None and k in TABLEMAP[table]}
+    where_ = {k: v for k, v in asdict(where).items()
+              if v is not None and k in TABLEMAP[table]}
     sql = f"UPDATE {table} SET "
     sql += ", ".join(f"{TABLEMAP[table].get(k)} "
-                     f"= '{escape_string(str(v)).decode('utf-8')}'" for
-                     k, v in asdict(data).items()
-                     if v is not None and k in TABLEMAP[table])
+                     "= %s" for k in data_.keys())
     sql += " WHERE "
     sql += " AND ".join(f"{TABLEMAP[table].get(k)} = "
-                        f"'{escape_string(str(v)).decode('utf-8')}'" for
-                        k, v in asdict(where).items()
-                        if v is not None and k in TABLEMAP[table])
+                        "%s" for k in where_.keys())
     with conn.cursor() as cursor:
-        cursor.execute(sql)
+        cursor.execute(sql,
+                       tuple(data_.values()) + tuple(where_.values()))
+        conn.commit()
         return cursor.rowcount
 
 
-- 
cgit v1.2.3