Skip to content

Update routes.py#3

Open
sean-sinclair wants to merge 1 commit into
mainfrom
sean-sinclair-patch-1
Open

Update routes.py#3
sean-sinclair wants to merge 1 commit into
mainfrom
sean-sinclair-patch-1

Conversation

@sean-sinclair

Copy link
Copy Markdown
Owner

No description provided.

Comment thread server/routes.py
if name:
cursor.execute(
"SELECT * FROM books WHERE name LIKE '%s", name
"SELECT * FROM books WHERE name LIKE '%" + name + "%"

Check failure

Code scanning / CodeQL

SQL query built from user-controlled sources

This SQL query depends on a [user-provided value](1).

Copilot Autofix

AI over 1 year ago

To fix the problem, we need to use parameterized queries instead of directly concatenating user input into the SQL query string. Parameterized queries ensure that user input is properly escaped and quoted by the database driver, preventing SQL injection attacks.

  • Replace the direct concatenation of user input in the SQL query with parameterized queries.
  • Use placeholders (%s) in the SQL query string and pass the user input as parameters to the cursor.execute method.
  • Ensure that the cursor.execute method is called with the query string and a tuple of parameters.
Suggested changeset 1
server/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server/routes.py b/server/routes.py
--- a/server/routes.py
+++ b/server/routes.py
@@ -15,3 +15,3 @@
         cursor.execute(
-            "SELECT * FROM books WHERE name LIKE '%" + name + "%" 
+            "SELECT * FROM books WHERE name LIKE %s", ('%' + name + '%',)
         )
@@ -21,3 +21,3 @@
         cursor.execute(
-            "SELECT * FROM books WHERE author LIKE '%" + author + "%"
+            "SELECT * FROM books WHERE author LIKE %s", ('%' + author + '%',)
         )
EOF
@@ -15,3 +15,3 @@
cursor.execute(
"SELECT * FROM books WHERE name LIKE '%" + name + "%"
"SELECT * FROM books WHERE name LIKE %s", ('%' + name + '%',)
)
@@ -21,3 +21,3 @@
cursor.execute(
"SELECT * FROM books WHERE author LIKE '%" + author + "%"
"SELECT * FROM books WHERE author LIKE %s", ('%' + author + '%',)
)
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread server/routes.py
elif author:
cursor.execute(
"SELECT * FROM books WHERE author LIKE '%s", author
"SELECT * FROM books WHERE author LIKE '%" + author + "%"

Check failure

Code scanning / CodeQL

SQL query built from user-controlled sources

This SQL query depends on a [user-provided value](1).

Copilot Autofix

AI over 1 year ago

To fix the problem, we need to use parameterized queries instead of directly concatenating user input into the SQL query strings. Parameterized queries ensure that user input is properly escaped and treated as data rather than executable code, thus preventing SQL injection attacks.

The best way to fix the problem without changing existing functionality is to modify the cursor.execute calls to use parameterized queries. This involves replacing the string concatenation with placeholders (%s) and passing the user input as parameters to the execute method.

Suggested changeset 1
server/routes.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server/routes.py b/server/routes.py
--- a/server/routes.py
+++ b/server/routes.py
@@ -15,3 +15,3 @@
         cursor.execute(
-            "SELECT * FROM books WHERE name LIKE '%" + name + "%" 
+            "SELECT * FROM books WHERE name LIKE %s", ('%' + name + '%',)
         )
@@ -21,3 +21,3 @@
         cursor.execute(
-            "SELECT * FROM books WHERE author LIKE '%" + author + "%"
+            "SELECT * FROM books WHERE author LIKE %s", ('%' + author + '%',)
         )
EOF
@@ -15,3 +15,3 @@
cursor.execute(
"SELECT * FROM books WHERE name LIKE '%" + name + "%"
"SELECT * FROM books WHERE name LIKE %s", ('%' + name + '%',)
)
@@ -21,3 +21,3 @@
cursor.execute(
"SELECT * FROM books WHERE author LIKE '%" + author + "%"
"SELECT * FROM books WHERE author LIKE %s", ('%' + author + '%',)
)
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants