Protect db from SQL injection

0488ae61 · Vasyl Bodnaruk · c3c8d3c2 · 0488ae61
Commit 0488ae61 authored Aug 02, 2017 by Vasyl Bodnaruk
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 6 deletions

update.py exa/update.py +7 -6

No files found.
--- a/exa/update.py
+++ b/exa/update.py
@@ -29,8 +29,8 @@ class NewsUpdater:
            tags.append(i[0])
        return json.dumps(tags)

-    def update_news(self, query):
-        self.db.update(query)
+    def update_news(self, query, data):
+        self.db.update(query, data)

    # this bad way
    def update_all_tags(self):
@@ -38,16 +38,17 @@ class NewsUpdater:
            try:
                text = self.load_text(i[1])
                tags = self.get_tags(text)
-                self.update_news('update wp_esi_news_accept set tags_id="{}" where id={}'.format(tags, i[0]))
+                self.update_news('update wp_esi_news_accept set tags_id="%s" where id=%s', (tags, i[0]))
                print('News id={} was updated'.format(i[0]))
            except BaseException as e:
                print(e.with_traceback())

    def update_all_text(self):
-        for i in self.select_news('select id, url from wp_esi_news_accept where id>26500'):
+        for i in self.select_news('select id, url from wp_esi_news_accept'):
            # try:
                text = self.load_text(i[1])
-                self.update_news('update wp_esi_news_accept set text="{}" where id={}'.format(str(text.encode('ascii', 'ignore')), i[0]))
+                data = (text.encode('ascii', 'ignore'), i[0])
+                self.update_news('update wp_esi_news_accept set text="%s" where id=%s', data)
                print('News id={} was updated'.format(i[0]))
            # except BaseException as e:
            #     print(e.with_traceback())
@@ -55,4 +56,4 @@ class NewsUpdater:

 if __name__ == '__main__':
    ml = NewsUpdater()
-    ml.update_all_text()
+    ml.update_all_tags()