Skip to content
Permalink
Browse files Browse the repository at this point in the history
fixed sql update to avoid sql injection
  • Loading branch information
jkbaumohl committed May 25, 2022
1 parent c9ec070 commit 959dfb6
Showing 1 changed file with 4 additions and 26 deletions.
30 changes: 4 additions & 26 deletions source/daily_cron_jobs/methods_upload_user_stats.py
Expand Up @@ -610,36 +610,14 @@ def upload_user_data(user_stats_dict):
print("Number of users updated:" + str(users_info_updated_count))

dev_tokens_users = get_dev_token_users_from_mongo()
#print("dev_tokens_users: " + str(dev_tokens_users))

####################
# TRIED DO UPDATE WITH PASSED LIST NONE OF THIS WORKED
# HAD To build up the entire string
# update_new_dev_tokens_statement = (
# "update user_info set dev_token_first_seen = now() "
# "where dev_token_first_seen is null and "
# "username in (%s)"
# )
# sql_params = ",".join(dev_tokens_users)
# sql_params = (dev_tokens_users,)
# sql_params = ([str(dev_tokens_users)])
# cursor.execute(update_new_dev_tokens_statement, [sql_params])
# cursor.execute("update user_info set dev_token_first_seen = now() "
# "where dev_token_first_seen is null and "
# "username in (%s)" % ', '.join('?' * len(dev_tokens_users)), dev_tokens_users)
# update_new_dev_tokens_statement = (
# "update user_info set dev_token_first_seen = now() "
# "where dev_token_first_seen is null and "
# "username in (%s)" % ', '.join('?' * len(dev_tokens_users)), dev_tokens_users
# )
# cursor.execute("SELECT foo.y FROM foo WHERE foo.x in (%s)" % ', '.join('?' * len(s)), s)
dev_tokens_string = "', '".join(dev_tokens_users)
update_new_dev_tokens_statement = (
"update user_info set dev_token_first_seen = now() "
"where dev_token_first_seen is null and "
"username in ('" + dev_tokens_string + "')"
"username in (" + ("%s, " * (len(dev_tokens_users) - 1)) + "%s)"
)
cursor.execute(update_new_dev_tokens_statement)
# print("update_new_dev_tokens_statement : " + update_new_dev_tokens_statement)
update_dev_tokens_prep_cursor = db_connection.cursor(prepared=True)
update_dev_tokens_prep_cursor.execute(update_new_dev_tokens_statement, dev_tokens_users)
db_connection.commit()

# NOW DO USER SUMMARY STATS
Expand Down

0 comments on commit 959dfb6

Please sign in to comment.