use parameter binding in SQL statement

c6f2d4f8 · Ansgar Burchardt · 5d39755e · c6f2d4f8
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

daklib/checks.py daklib/checks.py +1 -1

未找到文件。
--- a/daklib/checks.py
+++ b/daklib/checks.py
@@ -294,7 +294,7 @@ class SuffixCheck(Check):
 class ExternalHashesCheck(Check):
    """Checks hashes in .changes and .dsc against an external database."""
    def check_single(self, session, f):
-        q = session.execute("SELECT size, md5sum, sha1sum, sha256sum FROM external_files WHERE filename LIKE '%%/%s'" % f.filename)
+        q = session.execute("SELECT size, md5sum, sha1sum, sha256sum FROM external_files WHERE filename LIKE :pattern", {'pattern': '%/{}'.format(f.filename)})
        (ext_size, ext_md5sum, ext_sha1sum, ext_sha256sum) = q.fetchone() or (None, None, None, None)

        if not ext_size: