Fix code scanning alert no. 2: SQL query built from user-controlled s…

…ources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
ovaisq · Nov 11, 2024 · 0b86b88 · 0b86b88
1 parent 8b9ea5e
commit 0b86b88
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/database.py b/database.py
@@ -74,13 +74,13 @@ def insert_data_into_table(table_name, data):
         logging.error("%s", e)
         raise
 
-def get_select_query_results(sql_query):
+def get_select_query_results(sql_query, params=None):
     """Execute a query, return all rows for the query
     """
 
     conn, cur = psql_connection()
     try:
-        cur.execute(sql_query)
+        cur.execute(sql_query, params)
         # For SELECT query
         if sql_query.upper().strip().startswith('SELECT'):
             result = cur.fetchall()

diff --git a/rollama.py b/rollama.py
@@ -293,18 +293,18 @@ def analyze_comment(comment_id):
     logging.info(info_message)
     log_message_to_db(os.environ['SRVC_NAME'], get_rollama_version()['version'], 'INFO', info_message)
 
-    sql_query = f"""SELECT
+    sql_query = """SELECT
                         comment_id, comment_body
                     FROM 
                         comments
                     WHERE
-                        comment_id='{comment_id}'
+                        comment_id=%s
                     AND 
                         comment_body
                     NOT IN ('', '[removed]', '[deleted]');
                 """
 
-    comment_data =  get_select_query_results(sql_query)
+    comment_data =  get_select_query_results(sql_query, (comment_id,))
 
     if not comment_data:
         warn_message = f'Comment ID {comment_id} contains no body'