canglan/ClassManager
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(conduct): escape format specifiers in SQL DATE_FORMAT queries

Browse Source
This commit is contained in:
canglan
2026-04-23 10:28:59 +08:00
parent 87904bd6ef
commit 03aaaa53a9
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/models/conduct.py
View File

@@ -147,7 +147,7 @@ class ConductModel:
where_clause = " AND ".join(conditions)
count_sql = f"""
SELECT COUNT(DISTINCT CONCAT(cr.points_change, '|', cr.reason, '|', cr.recorder_id, '|', DATE_FORMAT(cr.created_at, '%Y-%m-%d %H:%i'))) as total
SELECT COUNT(DISTINCT CONCAT(cr.points_change, '|', cr.reason, '|', cr.recorder_id, '|', DATE_FORMAT(cr.created_at, '%%Y-%%m-%%d %%H:%%i'))) as total
FROM conduct_records cr
WHERE {where_clause}
"""
@@ -157,13 +157,13 @@ class ConductModel:
cr.points_change,
cr.reason,
cr.recorder_name,
DATE_FORMAT(MIN(cr.created_at), '%Y-%m-%d %H:%i:%s') as created_at,
DATE_FORMAT(MIN(cr.created_at), '%%Y-%%m-%%d %%H:%%i:%%s') as created_at,
GROUP_CONCAT(s.name ORDER BY s.student_id SEPARATOR ', ') as student_names,
COUNT(*) as student_count
FROM conduct_records cr
JOIN students s ON cr.student_id = s.student_id
WHERE {where_clause}
GROUP BY cr.points_change, cr.reason, cr.recorder_id, DATE_FORMAT(cr.created_at, '%Y-%m-%d %H:%i')
GROUP BY cr.points_change, cr.reason, cr.recorder_id, DATE_FORMAT(cr.created_at, '%%Y-%%m-%%d %%H:%%i')
ORDER BY MIN(cr.created_at) DESC
LIMIT %s OFFSET %s
"""