diff options
author | jasplin <qt-info@nokia.com> | 2011-03-18 13:55:53 +0100 |
---|---|---|
committer | jasplin <qt-info@nokia.com> | 2011-03-18 13:55:53 +0100 |
commit | 6efb3cbdc08f93685dff481635a9e4a9997f8017 (patch) | |
tree | 177beb082cfef166d18c588e05567265b467807d /scripts/listtestcases1.py | |
parent | ae4f42288dbf4d1e33d04384e3d117d7f8c80641 (diff) |
Make SQL queries safer and more robust.
This patch ensures proper processing of SQL queries by making
use of the second argument to the Psycopg execute() method:
WRONG:
>>> SQL = "INSERT INTO authors (name) VALUES ('%s');" # NEVER DO THIS
>>> data = ("O'Reilly", )
>>> cur.execute(SQL % data) # THIS WILL FAIL MISERABLY
CORRECT:
>>> SQL = "INSERT INTO authors (name) VALUES (%s);" # Notice: no quotes
>>> data = ("O'Reilly", )
>>> cur.execute(SQL, data) # Notice: no % operator
This has a double purpose:
1: Arguments are automatically handled properly according to their type
(in particular strings containing single quotes).
2: SQL injection is prevented.
Diffstat (limited to 'scripts/listtestcases1.py')
-rw-r--r-- | scripts/listtestcases1.py | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/scripts/listtestcases1.py b/scripts/listtestcases1.py index 9e50cab..90f1cc5 100644 --- a/scripts/listtestcases1.py +++ b/scripts/listtestcases1.py @@ -21,9 +21,10 @@ class ListTestCases1: # Get all distinct benchmarks matching the context: bmark_ids = execQuery( "SELECT DISTINCT benchmarkId " - "FROM result WHERE contextId = %d;" - % getContext( - self.host_id, self.platform_id, self.branch_id, self.sha1_id)) + "FROM result WHERE contextId = %s", + (getContext( + self.host_id, self.platform_id, self.branch_id, + self.sha1_id),)) # Extract all distinct test case components: tc_map = {} |