Use parameterized queries when possible

2016-03-26 18:47:54 -07:00 · 2016-03-26 18:47:54 -07:00 · 1fd96296f7
commit 1fd96296f7
parent 116b83b53f
1 changed files with 10 additions and 6 deletions
--- a/homeassistant/components/sensor/gtfs.py
+++ b/homeassistant/components/sensor/gtfs.py
@ -32,7 +32,9 @@ def get_next_departure(sched, start_station_id, end_station_id):
    day_name = now.strftime("%A").lower()
    now_str = now.strftime("%H:%M:%S")

-    sql_query = """
+    from sqlalchemy.sql import text
+
+    sql_query = text("""
    SELECT trip.trip_id, trip.route_id,
           time(origin_stop_time.departure_time),
           time(destination_stop_time.arrival_time),
@ -62,11 +64,13 @@ def get_next_departure(sched, start_station_id, end_station_id):
    INNER JOIN stops end_station
               ON destination_stop_time.stop_id = end_station.stop_id
    WHERE calendar.{} = 1
-               AND time(origin_stop_time.departure_time) > time('{}')
-    AND start_station.stop_id = '{}' AND end_station.stop_id = '{}'
-    ORDER BY origin_stop_time.departure_time LIMIT 1;"""\
-    .format(day_name, now_str, origin_station.id, destination_station.id)
-    result = sched.engine.execute(sql_query)
+               AND time(origin_stop_time.departure_time) > time(:now_str)
+    AND start_station.stop_id = :origin_station_id
+               AND end_station.stop_id = :end_station_id
+    ORDER BY origin_stop_time.departure_time LIMIT 1;""".format(day_name))
+    result = sched.engine.execute(sql_query,now_str=now_str,
+                                  origin_station_id=origin_station.id,
+                                  end_station_id=destination_station.id)
    item = {}
    for row in result:
        item = row