Merge pull request #131 from sanger-pathogens/quotes

use prepared statements for database access
sanger-pathogens · May 8, 2019 · fffdbb0 · fffdbb0
2 parents a0e04d5 + f407f32
commit fffdbb0
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/lib/Bio/VertRes/Config/DatabaseManager.pm b/lib/Bio/VertRes/Config/DatabaseManager.pm
@@ -51,20 +51,22 @@ sub build_database_handle {
 
 sub get_study_name_from_ssid {
   my ($self, $ssid) = @_;
-  my $sql = "select name from study where id_study_lims = '".$ssid."' ";
   my $dbh = $self->build_database_handle;
-  my @study_names = $dbh->selectrow_array($sql );
+  my $sth = $dbh->prepare("select name from study where id_study_lims = ?");
+  $sth->execute($ssid);
+  my @study_names = $sth->fetchrow_array;
   return @study_names;
 }
 
 sub get_data_access_groups {
   my ($self, $study_name) = @_;
   my @data_access_groups;
-  my $sql = "select data_access_group from study where name = '".$study_name."' ";
   eval { my $dbh = $self->build_database_handle; };
   if ( !$@ ) {
     my $dbh = $self->build_database_handle;
-    my $dag_string = $dbh->selectrow_array( $sql );
+    my $sth = $dbh->prepare("select data_access_group from study where name = ?");
+    $sth->execute($study_name);
+    my $dag_string = $sth->fetchrow_array;
     @data_access_groups = split(' ', $dag_string) if defined $dag_string && $dag_string ne '';
   }