Get rid of SQL injection possibility on /router http url

MNBikeways · Jun 22, 2015 · 829a027 · 829a027
1 parent 152ffaf
commit 829a027
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Data/views.py b/Data/views.py
@@ -51,7 +51,7 @@ def get(self, request, *args, **kwargs):
         sql_function = "select ccp_name, the_geom from pgr_dijkstra(\'"
 
         cursor = connection.cursor()
-        cursor.execute(sql_function+sql_inside_of_function+","+str(id1)+","+str(id2)+", true,true) join \"Data_minnesotabiketrails\" as bt on bt.id=id2")
+        cursor.execute(sql_function+sql_inside_of_function+", %s , %s , true,true) join \"Data_minnesotabiketrails\" as bt on bt.id=id2",(str(id1),str(id2),))
         all = cursor.fetchall()
         names = []
         gj = []