diff options
author | jasplin <qt-info@nokia.com> | 2011-03-18 13:55:53 +0100 |
---|---|---|
committer | jasplin <qt-info@nokia.com> | 2011-03-18 13:55:53 +0100 |
commit | 6efb3cbdc08f93685dff481635a9e4a9997f8017 (patch) | |
tree | 177beb082cfef166d18c588e05567265b467807d /scripts/listtestcases2.py | |
parent | ae4f42288dbf4d1e33d04384e3d117d7f8c80641 (diff) |
Make SQL queries safer and more robust.
This patch ensures proper processing of SQL queries by making
use of the second argument to the Psycopg execute() method:
WRONG:
>>> SQL = "INSERT INTO authors (name) VALUES ('%s');" # NEVER DO THIS
>>> data = ("O'Reilly", )
>>> cur.execute(SQL % data) # THIS WILL FAIL MISERABLY
CORRECT:
>>> SQL = "INSERT INTO authors (name) VALUES (%s);" # Notice: no quotes
>>> data = ("O'Reilly", )
>>> cur.execute(SQL, data) # Notice: no % operator
This has a double purpose:
1: Arguments are automatically handled properly according to their type
(in particular strings containing single quotes).
2: SQL injection is prevented.
Diffstat (limited to 'scripts/listtestcases2.py')
-rw-r--r-- | scripts/listtestcases2.py | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/scripts/listtestcases2.py b/scripts/listtestcases2.py index 9cdcbda..020dcd2 100644 --- a/scripts/listtestcases2.py +++ b/scripts/listtestcases2.py @@ -31,17 +31,16 @@ class ListTestCases2: # Get all distinct benchmarks matching both contexts: bmark_ids = execQuery( "SELECT DISTINCT benchmarkId" - " FROM result WHERE contextId = %d" + " FROM result WHERE contextId = %s" " INTERSECT " "SELECT DISTINCT benchmarkId" - " FROM result WHERE contextId = %d;" - % (getContext( + " FROM result WHERE contextId = %s", + (getContext( self.host1_id, self.platform1_id, self.branch1_id, self.sha11_id), - getContext( + getContext( self.host2_id, self.platform2_id, self.branch2_id, - self.sha12_id) - ) + self.sha12_id)) ) # Extract all distinct test case components: |