Revert "[db] Fix an injection issue in update"

This reverts commit d24db3c.
sopel-irc · Dec 16, 2014 · 4d7ede0 · 4d7ede0
1 parent e009a0d
commit 4d7ede0
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/willie/db.py b/willie/db.py
@@ -665,19 +665,19 @@ def update(self, row, values, key=None):
         cur = db.cursor()
         where = self._make_where_statement(key, row)
         cur.execute('SELECT * FROM ' + self.name + ' WHERE ' + where, rowl)
-        subs = list(values.iterkeys()) + list(values.itervalues())
         if not cur.fetchone():
-            values[key] = row
-            vals = ', '.join(('%s',) * len(values))
-            keys = ', '.join(values.iterkeys())
-            subs = list(values.itervalues())
-            command = ('INSERT INTO ' + self.name + ' (' + keys + ') VALUES (' +
+            vals = "'" + row + "'"
+            for k in values:
+                key = key + ', ' + k
+                vals = vals + ", '" + values[k] + "'"
+            command = ('INSERT INTO ' + self.name + ' (' + key + ') VALUES (' +
                        vals + ');')
         else:
-            k_equals_v = ', '.join('%s = %s' * len(values))
-            command = 'UPDATE ' + self.name + ' SET ' + k_equals_v + ' WHERE ' + key + " = '" + row + "';"
-        command = command.replace('%s', self.db.substitution)
-        cur.execute(command, subs)
+            command = 'UPDATE ' + self.name + ' SET '
+            for k in values:
+                command = command + k + "='" + values[k] + "', "
+            command = command[:-2] + ' WHERE ' + key + " = '" + row + "';"
+        cur.execute(command)
         db.commit()
         db.close()