Parameterise SQL queries

th3-z · Mar 9, 2018 · d855d67 · d855d67
1 parent 90a861d
commit d855d67
Showing 1 changed file with 31 additions and 31 deletions.
diff --git a/magicked_admin/database/database.py b/magicked_admin/database/database.py
@@ -46,62 +46,62 @@ def top_dosh(self):
         return all_rows
 
     def player_dosh(self, username):
-        self.cur.execute('SELECT (dosh) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (dosh) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
         else:
             return 0
 
     def player_dosh_spent(self, username):
-        self.cur.execute('SELECT (dosh_spent) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (dosh_spent) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
         else:
             return 0
 
     def player_kills(self, username):
-        self.cur.execute('SELECT (kills) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (kills) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
         else:
             return 0
 
     def player_deaths(self, username):
-        self.cur.execute('SELECT (deaths) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (deaths) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
         else:
             return 0
 
     def player_logins(self, username):
-        self.cur.execute('SELECT (logins) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (logins) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
         else:
             return 0
 
     def player_time(self, username):
-        self.cur.execute('SELECT (time_online) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (time_online) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
         else:
             return 0
 
     def player_health_lost(self, username):
-        self.cur.execute('SELECT (health_lost) FROM players WHERE username="{un}"'.\
-            format(un=username))
+        self.cur.execute('SELECT (health_lost) FROM players WHERE username=?',
+                         (username,))
         all_rows = self.cur.fetchall()
         if all_rows:
             return int(all_rows[0][0])
@@ -118,30 +118,30 @@ def load_player(self, player):
         player.total_time = self.player_time(player.username)
 
     def save_player(self, player, final=False):
-        self.cur.execute("INSERT OR IGNORE INTO players (username) VALUES (?)",\
-            (player.username,))
-
-        self.cur.execute("UPDATE players SET dosh_spent = ? WHERE username = ?",\
-            (player.total_dosh_spent, player.username))
-        self.cur.execute("UPDATE players SET dosh = ? WHERE username = ?",\
-            (player.total_dosh, player.username))
-        self.cur.execute("UPDATE players SET kills = ? WHERE username = ?",\
-            (player.total_kills, player.username))
-        self.cur.execute("UPDATE players SET deaths = ? WHERE username = ?",\
-            (player.total_deaths, player.username))
-        self.cur.execute("UPDATE players SET health_lost = ? WHERE username = ?",\
-            (player.total_health_lost, player.username))
-        self.cur.execute("UPDATE players SET logins = ? WHERE username = ?",\
-            (player.total_logins, player.username))
+        self.cur.execute("INSERT OR IGNORE INTO players (username) VALUES (?)",
+                         (player.username,))
+
+        self.cur.execute("UPDATE players SET dosh_spent = ? WHERE username = ?",
+                         (player.total_dosh_spent, player.username))
+        self.cur.execute("UPDATE players SET dosh = ? WHERE username = ?",
+                         (player.total_dosh, player.username))
+        self.cur.execute("UPDATE players SET kills = ? WHERE username = ?",
+                         (player.total_kills, player.username))
+        self.cur.execute("UPDATE players SET deaths = ? WHERE username = ?",
+                         (player.total_deaths, player.username))
+        self.cur.execute("UPDATE players SET health_lost = ? WHERE username = ?",
+                         (player.total_health_lost, player.username))
+        self.cur.execute("UPDATE players SET logins = ? WHERE username = ?",
+                         (player.total_logins, player.username))
 
         if final:
             now = datetime.datetime.now()
             elapsed_time = now - player.session_start
             seconds = elapsed_time.total_seconds()
             new_time = player.total_time + seconds
 
-            self.cur.execute("UPDATE players SET time_online = ? WHERE username = ?",\
-            (new_time, player.username))
+            self.cur.execute("UPDATE players SET time_online = ? WHERE username = ?",
+                             (new_time, player.username))
 
         self.conn.commit()