fix(nspd-geo): replace f-string bulk INSERT with parametrized execute (SQL injection fix) #123
1 changed files with 9 additions and 8 deletions
|
|
@ -295,17 +295,18 @@ def enqueue_geo_job(
|
|||
},
|
||||
).scalar_one()
|
||||
|
||||
# Bulk INSERT targets
|
||||
# Bulk INSERT targets — parametrized to prevent SQL injection
|
||||
if cad_nums_with_thematic:
|
||||
values = ",".join(
|
||||
f"({job_id}, '{c.replace(chr(39), chr(39)*2)}', {t}, 'pending')"
|
||||
for c, t in cad_nums_with_thematic
|
||||
)
|
||||
db.execute(
|
||||
text(
|
||||
f"INSERT INTO nspd_geo_targets (job_id, cad_num, thematic_id, status) "
|
||||
f"VALUES {values} ON CONFLICT (job_id, cad_num, thematic_id) DO NOTHING"
|
||||
)
|
||||
"INSERT INTO nspd_geo_targets (job_id, cad_num, thematic_id, status) "
|
||||
"VALUES (:job_id, :cad_num, :thematic_id, 'pending') "
|
||||
"ON CONFLICT (job_id, cad_num, thematic_id) DO NOTHING"
|
||||
),
|
||||
[
|
||||
{"job_id": job_id, "cad_num": c, "thematic_id": t}
|
||||
for c, t in cad_nums_with_thematic
|
||||
],
|
||||
)
|
||||
db.commit()
|
||||
return int(job_id)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue