Use placeholders for user driven parameters

close #128
FedericoCeratto · Aug 5, 2024 · 05949a3 · 05949a3
1 parent 3690357
commit 05949a3
Showing 1 changed file with 19 additions and 12 deletions.
diff --git a/cork/sqlite_backend.py b/cork/sqlite_backend.py
@@ -50,12 +50,14 @@ def __len__(self):
 
     def __contains__(self, key):
         # FIXME: count()
-        query = "SELECT * FROM %s WHERE %s='%s'" % (
+        query = "SELECT * FROM %s WHERE %s=?" % (
             self._table_name,
             self._key_col,
+        )
+        args =  (
             key,
         )
-        row = self._backend.fetch_one(query)
+        row = self._backend.fetch_one(query, args)
         return row is not None
 
     def __setitem__(self, key, value):
@@ -83,12 +85,14 @@ def __setitem__(self, key, value):
         ret = self._backend.run_query_using_conversion(query, col_values)
 
     def __getitem__(self, key):
-        query = "SELECT * FROM %s WHERE %s='%s'" % (
+        query = "SELECT * FROM %s WHERE %s=?" %(
             self._table_name,
             self._key_col,
+        )
+        args = (
             key,
         )
-        row = self._backend.fetch_one(query)
+        row = self._backend.fetch_one(query, args)
         if row is None:
             raise KeyError(key)
 
@@ -114,8 +118,9 @@ def iteritems(self):
 
     def pop(self, key):
         d = self.__getitem__(key)
-        query = "DELETE FROM %s WHERE %s='%s'" % (self._table_name, self._key_col, key)
-        self._backend.fetch_one(query)
+        query = "DELETE FROM %s WHERE %s=?"  % (self._table_name, self._key_col)
+        args = (key,)
+        self._backend.fetch_one(query, args)
         # FIXME: check deletion
         return d
 
@@ -164,13 +169,15 @@ def __setitem__(self, key, value):
         ret = self._backend.run_query_using_conversion(query, col_values)
 
     def __getitem__(self, key):
-        query = "SELECT %s FROM %s WHERE %s='%s'" % (
+        query = "SELECT %s FROM %s WHERE %s=?"  % (
             self._value_col,
             self._table_name,
             self._key_col,
+        )
+        args = (
             key,
         )
-        row = self._backend.fetch_one(query)
+        row = self._backend.fetch_one(query, args)
         if row is None:
             raise KeyError(key)
 
@@ -243,14 +250,14 @@ def connection(self):
             self._connection = sqlite3.connect(self._filename, isolation_level=None)
             return self._connection
 
-    def run_query(self, query):
-        return self._connection.execute(query)
+    def run_query(self, query, *args):
+        return self._connection.execute(query, *args)
 
     def run_query_using_conversion(self, query, args):
         return self._connection.execute(query, args)
 
-    def fetch_one(self, query):
-        return self._connection.execute(query).fetchone()
+    def fetch_one(self, query, *args):
+        return self._connection.execute(query, *args).fetchone()
 
     def _initialize_storage(self, db_name):
         raise NotImplementedError