Patched sqli/dao/course.py

sqli/dao/course.py

@@ -26,23 +26,30 @@ async def get(conn: Connection, id_: int):
     async def get_many(conn: Connection, limit: Optional[int] = None,
                        offset: Optional[int] = None):
         q = 'SELECT id, title, description FROM courses'
-        params = {}
+        params = []
         if limit is not None:
-            q += ' LIMIT + %(limit)s '
-            params['limit'] = limit
+            if not isinstance(limit, int) or limit < 0:
+                raise ValueError("Limit must be a non-negative integer")
+            q += ' LIMIT %s'
+            params.append(limit)
         if offset is not None:
-            q += ' OFFSET + %(offset)s '
-            params['offset'] = offset
+            if not isinstance(offset, int) or offset < 0:
+                raise ValueError("Offset must be a non-negative integer")
+            q += ' OFFSET %s'
+            params.append(offset)
         async with conn.cursor() as cur:
-            await cur.execute(q, **params)
+            await cur.execute(q, tuple(params))
             result = await cur.fetchall()
             return [Course.from_raw(r) for r in result]
 
     @staticmethod
     async def create(conn: Connection, title: str,
                      description: Optional[str] = None):
+        if not isinstance(title, str) or not title.strip():
+            raise ValueError("Title must be a non-empty string")
+        if description is not None and not isinstance(description, str):
+            raise ValueError("Description must be a string if provided")
         q = ('INSERT INTO courses (title, description) '
-             'VALUES (%(title)s, %(description)s)')
+             'VALUES (%s, %s)')
         async with conn.cursor() as cur:
-            await cur.execute(q, {'title': title,
-                                  'description': description})
+            await cur.execute(q, (title, description))