From 03aaaa53a9ba27227bb4717743286a0d977d215b Mon Sep 17 00:00:00 2001
From: canglan <admin@sea-studio.top>
Date: Thu, 23 Apr 2026 10:28:59 +0800
Subject: [PATCH] fix(conduct): escape format specifiers in SQL DATE_FORMAT
 queries

---
 backend/models/conduct.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/backend/models/conduct.py b/backend/models/conduct.py
index 9324c1d..e8d8f6a 100644
--- a/backend/models/conduct.py
+++ b/backend/models/conduct.py
@@ -147,7 +147,7 @@ class ConductModel:
         where_clause = " AND ".join(conditions)
         
         count_sql = f"""
-            SELECT COUNT(DISTINCT CONCAT(cr.points_change, '|', cr.reason, '|', cr.recorder_id, '|', DATE_FORMAT(cr.created_at, '%Y-%m-%d %H:%i'))) as total
+            SELECT COUNT(DISTINCT CONCAT(cr.points_change, '|', cr.reason, '|', cr.recorder_id, '|', DATE_FORMAT(cr.created_at, '%%Y-%%m-%%d %%H:%%i'))) as total
             FROM conduct_records cr
             WHERE {where_clause}
         """
@@ -157,13 +157,13 @@ class ConductModel:
                 cr.points_change,
                 cr.reason,
                 cr.recorder_name,
-                DATE_FORMAT(MIN(cr.created_at), '%Y-%m-%d %H:%i:%s') as created_at,
+                DATE_FORMAT(MIN(cr.created_at), '%%Y-%%m-%%d %%H:%%i:%%s') as created_at,
                 GROUP_CONCAT(s.name ORDER BY s.student_id SEPARATOR ', ') as student_names,
                 COUNT(*) as student_count
             FROM conduct_records cr
             JOIN students s ON cr.student_id = s.student_id
             WHERE {where_clause}
-            GROUP BY cr.points_change, cr.reason, cr.recorder_id, DATE_FORMAT(cr.created_at, '%Y-%m-%d %H:%i')
+            GROUP BY cr.points_change, cr.reason, cr.recorder_id, DATE_FORMAT(cr.created_at, '%%Y-%%m-%%d %%H:%%i')
             ORDER BY MIN(cr.created_at) DESC
             LIMIT %s OFFSET %s
         """