From d1c8438ce8e008f8e26f9f8ac78f7b6e78cdfa91 Mon Sep 17 00:00:00 2001 From: Conrad S Date: Mon, 6 Mar 2017 14:12:18 -0500 Subject: [PATCH] Sanitize input and check if input is empty --- app/lib/database.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/app/lib/database.py b/app/lib/database.py index b2f8943..9bb84f0 100644 --- a/app/lib/database.py +++ b/app/lib/database.py @@ -62,8 +62,14 @@ def proc(model, method, limit=None, offset=None, **kwargs): params = "" cols = ','.join(str(i) for i in model.__table__.get_columns()) + # By seperating the args like this sanatation will happen automatically + input_args = {} for key, value in kwargs.items(): - params += "in_{} := '{}', ".format(key, value) + if value is not None: + params += "in_{} := :{}, ".format(key, key) + input_args[key] = str(value) + else: + params += "in_{} := null, ".format(key) params = params[:-2] # remove last comma and space query = "select {} from {}.{}({})".format( @@ -78,7 +84,7 @@ def proc(model, method, limit=None, offset=None, **kwargs): query += ' offset {}'.format(offset) try: - results = db.session.execute(query) + results = db.session.execute(query, input_args) db.session.commit() data = [] -- GitLab