Patched sqli/dao/student.py

patched.codes[bot] · patched.codes[bot] · commit 47d403f64a6d · 2024-05-28T16:31:33.000+08:00
diff --git a/sqli/dao/student.py b/sqli/dao/student.py
@@ -40,8 +40,9 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
     @staticmethod
     async def create(conn: Connection, name: str):
         q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
+             "VALUES (%s)")
         async with conn.cursor() as cur:
-            await cur.execute(q)
+            await cur.execute(q, (name,))
+
 
 
