From 92cf784b1afae088122ef8af556d6df6d66de5f9 Mon Sep 17 00:00:00 2001
From: Munyoki Kilyungi
Date: Mon, 4 Sep 2023 21:49:55 +0300
Subject: Replace "escape_string" with safe-query parameters

Signed-off-by: Munyoki Kilyungi <me@bonfacemunyoki.com>
---
 gn3/db/species.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'gn3')

diff --git a/gn3/db/species.py b/gn3/db/species.py
index 743e797..e43ec14 100644
--- a/gn3/db/species.py
+++ b/gn3/db/species.py
@@ -3,7 +3,6 @@ groups. Particularly useful when generating the menu
 
 """
 from typing import Any, Optional, Tuple
-from MySQLdb import escape_string
 
 
 def get_all_species(conn: Any) -> Optional[Tuple]:
@@ -23,15 +22,15 @@ def get_chromosome(name: str, is_species: bool, conn: Any) -> Optional[Tuple]:
             "Length FROM Chr_Length, Species WHERE "
             "Chr_Length.SpeciesId = Species.SpeciesId AND "
             "Species.Name = "
-            f"'{escape_string(name).decode('UTF-8')}' ORDER BY OrderId")
+            "%(name)s ORDER BY OrderId")
     if not is_species:
         _sql = ("SELECT Chr_Length.Name, Chr_Length.OrderId, "
                 "Length FROM Chr_Length, InbredSet WHERE "
                 "Chr_Length.SpeciesId = InbredSet.SpeciesId AND "
                 "InbredSet.Name = "
-                f"'{escape_string(name).decode('UTF-8')}' ORDER BY OrderId")
+                "%(name)s ORDER BY OrderId")
     with conn.cursor() as cursor:
-        cursor.execute(_sql)
+        cursor.execute(_sql, {'name': name})
         return cursor.fetchall()
 
 def translate_to_mouse_gene_id(species: str, geneid: int, conn: Any) -> int:
-- 
cgit v1.2.3