From a1731ce47f2e090e9fc053812e77839561243833 Mon Sep 17 00:00:00 2001 From: Etzelia Date: Fri, 16 Aug 2019 12:26:39 -0500 Subject: [PATCH] Escape percent signs in raw SQL Signed-off-by: Etzelia --- activity.py | 2 +- gui.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/activity.py b/activity.py index 7179609..9ffbe65 100644 --- a/activity.py +++ b/activity.py @@ -30,7 +30,7 @@ def activity_results(form): if form.players: for player in form.players.split(","): players.append(player.strip()) - players_clause = " WHERE ({}) ".format(" OR ".join(["player LIKE '%{}%'".format(p) for p in players])) + players_clause = " WHERE ({}) ".format(" OR ".join(["player LIKE '%%{}%%'".format(p) for p in players])) query = '''SELECT 0 AS id, cs.time AS unix, cu.user AS player, cs.action FROM co_session cs diff --git a/gui.py b/gui.py index 122a1ec..584f547 100644 --- a/gui.py +++ b/gui.py @@ -94,7 +94,7 @@ def gui_data(request): def gui_results(form): queries = [] - ignore_environment = " AND player NOT LIKE '#%' " if form.ignore_environment else "" + ignore_environment = " AND player NOT LIKE '#%%' " if form.ignore_environment else "" oldest_first = " ASC " if form.oldest_first else " DESC " coords = [] @@ -112,7 +112,7 @@ def gui_results(form): if form.players: for player in form.players.split(","): players.append(player.strip()) - players_clause = " AND ({})".format(" OR ".join(["player LIKE '%{}%'".format(p) for p in players])) + players_clause = " AND ({})".format(" OR ".join(["player LIKE '%%{}%%'".format(p) for p in players])) worlds_clause = "" worlds = [world["id"] for world in form.worlds if world["checked"]]