Use parameterized queries when possible

This commit is contained in:
Robbie Trencheny 2016-03-26 18:47:54 -07:00
parent 116b83b53f
commit 1fd96296f7

View File

@ -32,7 +32,9 @@ def get_next_departure(sched, start_station_id, end_station_id):
day_name = now.strftime("%A").lower() day_name = now.strftime("%A").lower()
now_str = now.strftime("%H:%M:%S") now_str = now.strftime("%H:%M:%S")
sql_query = """ from sqlalchemy.sql import text
sql_query = text("""
SELECT trip.trip_id, trip.route_id, SELECT trip.trip_id, trip.route_id,
time(origin_stop_time.departure_time), time(origin_stop_time.departure_time),
time(destination_stop_time.arrival_time), time(destination_stop_time.arrival_time),
@ -62,11 +64,13 @@ def get_next_departure(sched, start_station_id, end_station_id):
INNER JOIN stops end_station INNER JOIN stops end_station
ON destination_stop_time.stop_id = end_station.stop_id ON destination_stop_time.stop_id = end_station.stop_id
WHERE calendar.{} = 1 WHERE calendar.{} = 1
AND time(origin_stop_time.departure_time) > time('{}') AND time(origin_stop_time.departure_time) > time(:now_str)
AND start_station.stop_id = '{}' AND end_station.stop_id = '{}' AND start_station.stop_id = :origin_station_id
ORDER BY origin_stop_time.departure_time LIMIT 1;"""\ AND end_station.stop_id = :end_station_id
.format(day_name, now_str, origin_station.id, destination_station.id) ORDER BY origin_stop_time.departure_time LIMIT 1;""".format(day_name))
result = sched.engine.execute(sql_query) result = sched.engine.execute(sql_query,now_str=now_str,
origin_station_id=origin_station.id,
end_station_id=destination_station.id)
item = {} item = {}
for row in result: for row in result:
item = row item = row