Skip to content
This repository has been archived by the owner on Feb 8, 2018. It is now read-only.

Commit

Permalink
Don't build SQL with string concatenation (#405)
Browse files Browse the repository at this point in the history
  • Loading branch information
@chadwhitacre
chadwhitacre committed Dec 6, 2012
1 parent 501e38c commit b42f177
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions gittip/authentication.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,25 +19,29 @@ def __init__(self, session):

@classmethod
def from_session_token(cls, token):
session = cls.load_session("session_token=%s", token)
SESSION = ("SELECT * FROM participants "
"WHERE is_suspicious IS NOT true "
"AND session=%s")
session = cls.load_session(SESSION, token)
return cls(session)

@classmethod
def from_id(cls, participant_id):
from gittip import db
session = cls.load_session("id=%s", participant_id)
SESSION = ("SELECT * FROM participants "
"WHERE is_suspicious IS NOT true "
"AND id=%s")
session = cls.load_session(SESSION, participant_id)
session['session_token'] = uuid.uuid4().hex
db.execute( "UPDATE participants SET session_token=%s WHERE id=%s"
, (session['session_token'], participant_id)
)
return cls(session)

@staticmethod
def load_session(where, val):
def load_session(SESSION, val):
from gittip import db
SQL =("SELECT * FROM participants WHERE is_suspicious IS NOT true "
"AND " + where)
rec = db.fetchone(SQL, (val,))
rec = db.fetchone(SESSION, (val,))
out = {}
if rec is not None:
out = rec
Expand Down

0 comments on commit b42f177

Please sign in to comment.