I just started to use the MySQLLogging module but it did not work. The logfile said:
2023-12-16 20:23:47,136 - MySQLLoggi 40 Error updating MySQL database: (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '2666''' at line 2")
2666 is my slaveTWC. I checked the SQL statements and found #333 -> #334 and https://github.com/ngardiner/TWCManager/commit/5d62d7eda2ffdcd5d4bf132000fd109e2d7c8cca have introduced quotes in the prepared statements. All (even string) values in the SQL statements used by cur.execute should be referred to by using %s without quotes. Using Python format strings to insert the values into the SQL statement might lead to SQL injection. It is safer to let Python MySQL handle the paramaters.
This PR fixes the SQL statements for me. I'm using MariaDB Server 10.5 at the moment but I believe the current code is broken for older databases as well.
I just started to use the MySQLLogging module but it did not work. The logfile said:
2666is myslaveTWC. I checked the SQL statements and found #333 -> #334 and https://github.com/ngardiner/TWCManager/commit/5d62d7eda2ffdcd5d4bf132000fd109e2d7c8cca have introduced quotes in the prepared statements. All (even string) values in the SQL statements used bycur.executeshould be referred to by using%swithout quotes. Using Python format strings to insert the values into the SQL statement might lead to SQL injection. It is safer to let Python MySQL handle the paramaters.This PR fixes the SQL statements for me. I'm using MariaDB Server 10.5 at the moment but I believe the current code is broken for older databases as well.