Skip to content

Commit

Permalink
Use a parameterized query to prevent sql injection
Browse files Browse the repository at this point in the history
  • Loading branch information
@JohnMwashuma
JohnMwashuma committed Aug 13, 2024
1 parent e9aece0 commit 20fb25c
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions tally_ho/apps/tally/management/commands/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -249,12 +249,14 @@ def check_duplicates(csv_file_path: str, field: str) -> None:
"""
con = duckdb.connect()

result = con.execute(f"""
query = """

Check warning

Code scanning / Bandit (reported by Codacy)

Possible SQL injection vector through string-based query construction. Warning

Possible SQL injection vector through string-based query construction.
SELECT {field}, COUNT(*) AS cnt
FROM read_csv_auto('{csv_file_path}')
FROM read_csv_auto(?)
GROUP BY {field}
HAVING cnt > 1
""").fetchall()
""".format(field=field)

result = con.execute(query, [csv_file_path]).fetchall()

if len(result) > 0:
raise Exception(f"Duplicates found for field '{field}'")

0 comments on commit 20fb25c

Please sign in to comment.