Use parameterized queries when possible

homeassistant/components/sensor/gtfs.py

@@ -32,7 +32,9 @@ def get_next_departure(sched, start_station_id, end_station_id):
     day_name = now.strftime("%A").lower()
     now_str = now.strftime("%H:%M:%S")
 
-    sql_query = """
+    from sqlalchemy.sql import text
+
+    sql_query = text("""
     SELECT trip.trip_id, trip.route_id,
            time(origin_stop_time.departure_time),
            time(destination_stop_time.arrival_time),
@@ -62,11 +64,13 @@ def get_next_departure(sched, start_station_id, end_station_id):
     INNER JOIN stops end_station
                ON destination_stop_time.stop_id = end_station.stop_id
     WHERE calendar.{} = 1
-               AND time(origin_stop_time.departure_time) > time('{}')
+               AND time(origin_stop_time.departure_time) > time(:now_str)
-    AND start_station.stop_id = '{}' AND end_station.stop_id = '{}'
+    AND start_station.stop_id = :origin_station_id
-    ORDER BY origin_stop_time.departure_time LIMIT 1;"""\
+               AND end_station.stop_id = :end_station_id
-    .format(day_name, now_str, origin_station.id, destination_station.id)
+    ORDER BY origin_stop_time.departure_time LIMIT 1;""".format(day_name))
-    result = sched.engine.execute(sql_query)
+    result = sched.engine.execute(sql_query,now_str=now_str,
+                                  origin_station_id=origin_station.id,
+                                  end_station_id=destination_station.id)
     item = {}
     for row in result:
         item = row