From ed934b1edef46547e4fb19c886608311395a61d8 Mon Sep 17 00:00:00 2001
From: Dominik Turecek <dturecek@redhat.com>
Date: Jun 29 2018 13:14:43 +0000
Subject: [frontend] don't use sql.format() for passing values to sql queries


---

diff --git a/frontend/coprs_frontend/coprs/logic/builds_logic.py b/frontend/coprs_frontend/coprs/logic/builds_logic.py
index 893e6df..05b7155 100644
--- a/frontend/coprs_frontend/coprs/logic/builds_logic.py
+++ b/frontend/coprs_frontend/coprs/logic/builds_logic.py
@@ -154,41 +154,42 @@ class BuildsLogic(object):
             step_start = start + i * step
             step_end = step_start + step
 
-            query_pending = """
+            query_pending = text("""
                 SELECT COUNT(*) as pending
                 FROM build_chroot JOIN build on build.id = build_chroot.build_id
                 WHERE
                     (
-                        build_chroot.started_on > {start}
+                        build_chroot.started_on > :start
                         OR build_chroot.started_on is NULL
                     )
-                    AND build.submitted_on < {end}
+                    AND build.submitted_on < :end
                     AND (
-                        build_chroot.ended_on > {start}
+                        build_chroot.ended_on > :start
                         OR build_chroot.ended_on IS NULL
                     )
-                    AND NOT ((build.submitted_on NOT BETWEEN {start} and {end})
-                        AND (build_chroot.started_on NOT BETWEEN {start} AND {end})
-                        AND (build.submitted_on >= {start} OR build_chroot.started_on <= {end})
+                    AND NOT ((build.submitted_on NOT BETWEEN :start and :end)
+                        AND (build_chroot.started_on NOT BETWEEN :start AND :end)
+                        AND (build.submitted_on >= :start OR build_chroot.started_on <= :end)
                     )
-            """.format(start=step_start, end=step_end)
+            """)
 
-            query_running = """
+            query_running = text("""
                 SELECT COUNT(*) as running
                 FROM build_chroot
                 WHERE
-                    started_on < {end}
-                    AND (ended_on > {start} OR ended_on IS NULL)
+                    started_on < :end
+                    AND (ended_on > :start OR ended_on IS NULL)
                     AND (
-                        (started_on BETWEEN {start} AND {end})
-                        OR (ended_on BETWEEN {start} AND {end})
-                        OR (started_on < {start}
-                            AND (ended_on > {end} OR (ended_on IS NULL AND status = {status})))
+                        (started_on BETWEEN :start AND :end)
+                        OR (ended_on BETWEEN :start AND :end)
+                        OR (started_on < :start
+                            AND (ended_on > :end OR (ended_on IS NULL AND status = :status)))
                     )
-            """.format(start=step_start, end=step_end, status=helpers.StatusEnum('running'))
+                """)
 
-            res_pending = db.engine.execute(query_pending)
-            res_running = db.engine.execute(query_running)
+            res_pending = db.engine.execute(query_pending, start=step_start, end=step_end)
+            res_running = db.engine.execute(query_running, start=step_start, end=step_end,
+                                            status=helpers.StatusEnum('running'))
 
             pending = res_pending.first().pending
             running = res_running.first().running