Make SQL queries safer and more robust.

This patch ensures proper processing of SQL queries by making
use of the second argument to the Psycopg execute() method:

WRONG:

>>> SQL = "INSERT INTO authors (name) VALUES ('%s');" # NEVER DO THIS
>>> data = ("O'Reilly", )
>>> cur.execute(SQL % data) # THIS WILL FAIL MISERABLY

CORRECT:

>>> SQL = "INSERT INTO authors (name) VALUES (%s);" # Notice: no quotes
>>> data = ("O'Reilly", )
>>> cur.execute(SQL, data) # Notice: no % operator

This has a double purpose:

1: Arguments are automatically handled properly according to their type
   (in particular strings containing single quotes).
2: SQL injection is prevented.

1 files changed, 5 insertions, 6 deletions

diff --git a/scripts/listtestcases2.py b/scripts/listtestcases2.py
index 9cdcbda..020dcd2 100644
--- a/scripts/listtestcases2.py
+++ b/scripts/listtestcases2.py
@@ -31,17 +31,16 @@ class ListTestCases2:
         # Get all distinct benchmarks matching both contexts:
         bmark_ids = execQuery(
             "SELECT DISTINCT benchmarkId"
-            " FROM result WHERE contextId = %d"
+            " FROM result WHERE contextId = %s"
             " INTERSECT "
             "SELECT DISTINCT benchmarkId"
-            " FROM result WHERE contextId = %d;"
-            % (getContext(
+            " FROM result WHERE contextId = %s",
+            (getContext(
                     self.host1_id, self.platform1_id, self.branch1_id,
                     self.sha11_id),
-               getContext(
+             getContext(
                     self.host2_id, self.platform2_id, self.branch2_id,
-                    self.sha12_id)
-               )
+                    self.sha12_id))
             )
 
         # Extract all distinct test case components: