From bef2a855d2b3192647663fcea0731c4fb41620e7 Mon Sep 17 00:00:00 2001 From: Tim Burke Date: Thu, 26 Apr 2018 16:56:53 -0700 Subject: [PATCH] Parameterize SQL args 'Cause I want to have shard ranges with quotes in them LIKE A CRAZY PERSON. Change-Id: I18f84caf2eb4fe17fbe28d7cb5d65cec4da7474d --- swift/container/backend.py | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/swift/container/backend.py b/swift/container/backend.py index 4c9c2d601e..b9d3e89cac 100644 --- a/swift/container/backend.py +++ b/swift/container/backend.py @@ -1591,25 +1591,30 @@ class ContainerBroker(DatabaseBroker): try: condition = '' conditions = [] + params = [] if not include_deleted: conditions.append('deleted=0') if included_states: - state_list = ','.join([str(st) for st in included_states]) - conditions.append('state in (%s)' % state_list) + conditions.append('state in (%s)' % ','.join( + '?' * len(included_states))) + params.extend(included_states) if excluded_states: - state_list = ','.join([str(st) for st in excluded_states]) - conditions.append('state not in (%s)' % state_list) + conditions.append('state not in (%s)' % ','.join( + '?' * len(excluded_states))) + params.extend(excluded_states) if not include_own: - conditions.append('name!="%s"' % self.path) + conditions.append('name != ?') + params.append(self.path) if exclude_others: - conditions.append('name="%s"' % self.path) + conditions.append('name = ?') + params.append(self.path) if conditions: condition = ' WHERE ' + ' AND '.join(conditions) sql = ''' SELECT %s FROM shard_ranges%s; ''' % (', '.join(SHARD_RANGE_KEYS), condition) - data = conn.execute(sql) + data = conn.execute(sql, params) data.row_factory = None return [row for row in data] except sqlite3.OperationalError as err: