Skip to content

Commit 959dfb6

Browse files
committed
fixed sql update to avoid sql injection
1 parent c9ec070 commit 959dfb6

File tree

1 file changed

+4
-26
lines changed

1 file changed

+4
-26
lines changed

Diff for: source/daily_cron_jobs/methods_upload_user_stats.py

+4-26
Original file line numberDiff line numberDiff line change
@@ -610,36 +610,14 @@ def upload_user_data(user_stats_dict):
610610
print("Number of users updated:" + str(users_info_updated_count))
611611

612612
dev_tokens_users = get_dev_token_users_from_mongo()
613-
#print("dev_tokens_users: " + str(dev_tokens_users))
614-
615-
####################
616-
# TRIED DO UPDATE WITH PASSED LIST NONE OF THIS WORKED
617-
# HAD To build up the entire string
618-
# update_new_dev_tokens_statement = (
619-
# "update user_info set dev_token_first_seen = now() "
620-
# "where dev_token_first_seen is null and "
621-
# "username in (%s)"
622-
# )
623-
# sql_params = ",".join(dev_tokens_users)
624-
# sql_params = (dev_tokens_users,)
625-
# sql_params = ([str(dev_tokens_users)])
626-
# cursor.execute(update_new_dev_tokens_statement, [sql_params])
627-
# cursor.execute("update user_info set dev_token_first_seen = now() "
628-
# "where dev_token_first_seen is null and "
629-
# "username in (%s)" % ', '.join('?' * len(dev_tokens_users)), dev_tokens_users)
630-
# update_new_dev_tokens_statement = (
631-
# "update user_info set dev_token_first_seen = now() "
632-
# "where dev_token_first_seen is null and "
633-
# "username in (%s)" % ', '.join('?' * len(dev_tokens_users)), dev_tokens_users
634-
# )
635-
# cursor.execute("SELECT foo.y FROM foo WHERE foo.x in (%s)" % ', '.join('?' * len(s)), s)
636-
dev_tokens_string = "', '".join(dev_tokens_users)
637613
update_new_dev_tokens_statement = (
638614
"update user_info set dev_token_first_seen = now() "
639615
"where dev_token_first_seen is null and "
640-
"username in ('" + dev_tokens_string + "')"
616+
"username in (" + ("%s, " * (len(dev_tokens_users) - 1)) + "%s)"
641617
)
642-
cursor.execute(update_new_dev_tokens_statement)
618+
# print("update_new_dev_tokens_statement : " + update_new_dev_tokens_statement)
619+
update_dev_tokens_prep_cursor = db_connection.cursor(prepared=True)
620+
update_dev_tokens_prep_cursor.execute(update_new_dev_tokens_statement, dev_tokens_users)
643621
db_connection.commit()
644622

645623
# NOW DO USER SUMMARY STATS

0 commit comments

Comments
 (0)