From 9e607711d3dc974c6657d4153bbc51786ccb7867 Mon Sep 17 00:00:00 2001 From: Federico Stagni Date: Wed, 20 Nov 2024 09:40:49 +0100 Subject: [PATCH] sweep: #7894 fix (Transformation): use parameterised query in addTransformation --- src/DIRAC/Core/Utilities/MySQL.py | 6 +- .../DB/TransformationDB.py | 65 ++++++++++--------- 2 files changed, 37 insertions(+), 34 deletions(-) diff --git a/src/DIRAC/Core/Utilities/MySQL.py b/src/DIRAC/Core/Utilities/MySQL.py index 91c7c1156e4..edf9a235025 100755 --- a/src/DIRAC/Core/Utilities/MySQL.py +++ b/src/DIRAC/Core/Utilities/MySQL.py @@ -751,9 +751,11 @@ def _query(self, cmd, *, conn=None, debug=True): return retDict @captureOptimizerTraces - def _update(self, cmd, *, conn=None, debug=True): + def _update(self, cmd, *, args=None, conn=None, debug=True): """execute MySQL update command + :param args: parameters passed to cursor.execute(..., args=args) method. + :param conn: connection object. :param debug: print or not the errors :return: S_OK with number of updated registers upon success. @@ -771,7 +773,7 @@ def _update(self, cmd, *, conn=None, debug=True): try: cursor = connection.cursor() - res = cursor.execute(cmd) + res = cursor.execute(cmd, args=args) retDict = S_OK(res) if cursor.lastrowid: retDict["lastRowId"] = cursor.lastrowid diff --git a/src/DIRAC/TransformationSystem/DB/TransformationDB.py b/src/DIRAC/TransformationSystem/DB/TransformationDB.py index 6d83a69befb..78a50f8b389 100755 --- a/src/DIRAC/TransformationSystem/DB/TransformationDB.py +++ b/src/DIRAC/TransformationSystem/DB/TransformationDB.py @@ -156,38 +156,39 @@ def addTransformation( elif res["Message"] != "Transformation does not exist": return res self.lock.acquire() - res = self._escapeString(body) - if not res["OK"]: - return S_ERROR("Failed to parse the transformation body") - body = res["Value"] - req = ( - "INSERT INTO Transformations (TransformationName,Description,LongDescription, \ - CreationDate,LastUpdate,Author,AuthorGroup,Type,Plugin,AgentType,\ - FileMask,Status,TransformationGroup,GroupSize,\ - InheritedFrom,Body,MaxNumberOfTasks,EventsPerTask)\ - VALUES ('%s','%s','%s',\ - UTC_TIMESTAMP(),UTC_TIMESTAMP(),'%s','%s','%s','%s','%s',\ - '%s','New','%s',%f,\ - %d,%s,%d,%d);" - % ( - transName, - description, - longDescription, - author, - authorGroup, - transType, - plugin, - agentType, - fileMask, - transformationGroup, - groupSize, - inheritedFrom, - body, - maxTasks, - eventsPerTask, - ) - ) - res = self._update(req, conn=connection) + + params = { + "TransformationName": transName, + "Description": description, + "LongDescription": longDescription, + "CreationDate": "UTC_TIMESTAMP()", + "LastUpdate": "UTC_TIMESTAMP()", + "Author": author, + "AuthorGroup": authorGroup, + "Type": transType, + "Plugin": plugin, + "AgentType": agentType, + "FileMask": fileMask, + "Status": "New", + "TransformationGroup": transformationGroup, + "GroupSize": groupSize, + "InheritedFrom": inheritedFrom, + "Body": body, + "MaxNumberOfTasks": maxTasks, + "EventsPerTask": eventsPerTask, + } + + # A list of parameters that we do not want to substitute as parameters, but directly + # into the statement e.g. functions like "UTC_TIMESTAMP()" + unparameterised_columns = [ + "CreationDate", + "LastUpdate", + ] + subst = ", ".join(f"%({name})s" if name not in unparameterised_columns else params[name] for name in params) + + req = f"INSERT INTO Transformations ({', '.join(params)}) VALUES ({subst});" + + res = self._update(req, args=params, conn=connection) if not res["OK"]: self.lock.release() return res