Browse files

Fix SQL injection.

  • Loading branch information...
1 parent 89d615f commit 65a95c8e67e9938b2e4e384ef38eaca6b3f9a88c @thomasst thomasst committed Jun 5, 2012
Showing with 6 additions and 6 deletions.
  1. +6 −6 pyzipcode/__init__.py
View
12 pyzipcode/__init__.py
@@ -16,7 +16,7 @@ def __init__(self):
conn = sqlite3.connect(db_location)
conn.close()
- def query(self, sql):
+ def query(self, sql, args):
conn = None
retry_count = 0
while not conn and retry_count <= 10:
@@ -32,14 +32,14 @@ def query(self, sql):
raise sqlite3.OperationalError("Can't connect to sqlite database.")
cursor = conn.cursor()
- cursor.execute(sql)
+ cursor.execute(sql, args)
res = cursor.fetchall()
conn.close()
return res
-ZIP_QUERY = "SELECT * FROM ZipCodes WHERE zip='%s'"
+ZIP_QUERY = "SELECT * FROM ZipCodes WHERE zip=?"
ZIP_RANGE_QUERY = "SELECT * FROM ZipCodes WHERE longitude >= %s and longitude <= %s AND latitude >= %s and latitude <= %s"
-ZIP_FIND_QUERY = "SELECT * FROM ZipCodes WHERE city LIKE '%s' AND state LIKE '%s'"
+ZIP_FIND_QUERY = "SELECT * FROM ZipCodes WHERE city LIKE ? AND state LIKE ?"
class ZipCode(object):
def __init__(self, data):
@@ -95,10 +95,10 @@ def find_zip(self, city=None, state=None):
else:
state = state.upper()
- return format_result(self.conn_manager.query(ZIP_FIND_QUERY % (city, state)))
+ return format_result(self.conn_manager.query(ZIP_FIND_QUERY, [city, state]))
def get(self, zip):
- return format_result(self.conn_manager.query(ZIP_QUERY % zip))
+ return format_result(self.conn_manager.query(ZIP_QUERY, [zip]))
def __getitem__(self, zip):
zip = self.get(str(zip))

0 comments on commit 65a95c8

Please sign in to comment.