Patched sqli/dao/student.py

patched-codes · Dec 19, 2024 · 707c8ee · 707c8ee
1 parent 6066741
commit 707c8ee
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/sqli/dao/student.py b/sqli/dao/student.py
@@ -27,10 +27,10 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
         q = 'SELECT id, name FROM students'
         params = {}
         if limit is not None:
-            q += ' LIMIT + %(limit)s '
+            q += ' LIMIT %(limit)s '
             params['limit'] = limit
         if offset is not None:
-            q += ' OFFSET + %(offset)s '
+            q += ' OFFSET %(offset)s '
             params['offset'] = offset
         async with conn.cursor() as cur:
             await cur.execute(q, params)
@@ -39,9 +39,8 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
 
     @staticmethod
     async def create(conn: Connection, name: str):
-        q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
+        q = "INSERT INTO students (name) VALUES (%s)"
         async with conn.cursor() as cur:
-            await cur.execute(q)
+            await cur.execute(q, (name,))