Fix code scanning alert no. 106: SQL query built from user-controlled…

… sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
DogukanUrker · Dec 17, 2024 · 7c6658b · 7c6658b
1 parent 8afd945
commit 7c6658b
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/routes/index.py b/routes/index.py
@@ -69,14 +69,16 @@ def index(by="hot", sort="desc"):
     # Create a cursor object for executing queries
     cursor = connection.cursor()
     # Select all the columns from the posts table and order them by the specified field and sorting order
+    query = ""
+    params = ()
     match by:
         case "hot": # If the sorting field is "hot"
-            cursor.execute(
-                f"SELECT *, (views * 1 / log(1 + (strftime('%s', 'now') - timeStamp) / 3600 + 2)) AS hotScore FROM posts ORDER BY hotScore {sort}"
-            ) # Execute the query to sort by hotness
-            pass
+            query = "SELECT *, (views * 1 / log(1 + (strftime('%s', 'now') - timeStamp) / 3600 + 2)) AS hotScore FROM posts ORDER BY hotScore ?"
+            params = (sort,)
         case _: # For all other sorting fields
-            cursor.execute(f"select * from posts order by {by} {sort}") # Execute the query to sort by the specified field
+            query = "SELECT * FROM posts ORDER BY ? ?"
+            params = (by, sort)
+    cursor.execute(query, params) # Execute the parameterized query
 
     # Fetch all the results as a list of tuples
     posts = cursor.fetchall()