diff --git a/application/views/blabController.py b/application/views/blabController.py index 23d728b..7a588cc 100644 --- a/application/views/blabController.py +++ b/application/views/blabController.py @@ -208,7 +208,7 @@ def blab(request): # Get comments logger.info("Executing query to get all comments") - cursor.execute(blabCommentsSql % (blabid,)) + cursor.execute(blabCommentsSql, (blabid, )) blabCommentsResults = cursor.fetchall() comments = [] @@ -254,7 +254,8 @@ def blab(request): with connection.cursor() as cursor: logger.info("Executing addComment") - cursor.execute(addCommentSql % (blabid, username, comment, moment.now().format("YYYY-MM-DD hh:mm:ss"))) + addCommentSql = "INSERT INTO comments (blabid, blabber, content, timestamp) values (%s, %s, %s, %s);" + cursor.execute(addCommentSql, (blabid, username, comment, moment.now().format("YYYY-MM-DD hh:mm:ss"))) if not cursor.rowcount: request.error = "Failed to add comment" diff --git a/application/views/userController.py b/application/views/userController.py index b1d6d91..edf67a8 100644 --- a/application/views/userController.py +++ b/application/views/userController.py @@ -585,7 +585,8 @@ def processProfile(request): logger.info("Preparing the update Prepared Statement") update = "UPDATE users SET real_name='%s', blab_name='%s' WHERE username='%s';" logger.info("Executing the update Prepared Statement") - cursor.execute(update % (realName, blabName, sessionUsername), (realName, blabName, sessionUsername)) + update = "UPDATE users SET real_name=:realName, blab_name=:blabName WHERE username=:username" + cursor.execute(update, {"realName": realName, "blabName": blabName, "username": sessionUsername}) updateResult = cursor.fetchone() # If there is a record...