diff --git a/app/lib/database.py b/app/lib/database.py index 808c41cb0fddaa47f953825bae22de30a928980f..b21112b5f3c08d8897a9077fc462578669831bbc 100644 --- a/app/lib/database.py +++ b/app/lib/database.py @@ -63,9 +63,12 @@ def proc(model, method, limit=None, offset=None, **kwargs): params = "" cols = ','.join(str(i) for i in model.__table__.get_columns()) + # By seperating the args like this sanatation will happen automatically + input_args = {} for key, value in kwargs.items(): if value is not None: - params += "in_{} := '{}', ".format(key, value) + params += "in_{} := :{}, ".format(key, key) + input_args[key] = str(value) else: params += "in_{} := null, ".format(key) params = params[:-2] # remove last comma and space @@ -82,7 +85,7 @@ def proc(model, method, limit=None, offset=None, **kwargs): query += ' offset {}'.format(offset) try: - results = db.session.execute(query) + results = db.session.execute(query, input_args) db.session.commit() data = []