canglan/SharedClassManager
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(conduct): escape format specifiers in SQL DATE_FORMAT queries

Browse Source
This commit is contained in:
canglan
2026-04-23 10:28:59 +08:00
parent 87904bd6ef
commit 03aaaa53a9
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/models/conduct.py
View File

@@ -147,7 +147,7 @@ class ConductModel:
where_clause = " AND ".join(conditions) where_clause = " AND ".join(conditions)
count_sql = f""" count_sql = f"""
SELECT COUNT(DISTINCT CONCAT(cr.points_change, '|', cr.reason, '|', cr.recorder_id, '|', DATE_FORMAT(cr.created_at, '%Y-%m-%d %H:%i'))) as total SELECT COUNT(DISTINCT CONCAT(cr.points_change, '|', cr.reason, '|', cr.recorder_id, '|', DATE_FORMAT(cr.created_at, '%%Y-%%m-%%d %%H:%%i'))) as total
FROM conduct_records cr FROM conduct_records cr
WHERE {where_clause} WHERE {where_clause}
""" """
@@ -157,13 +157,13 @@ class ConductModel:
cr.points_change, cr.points_change,
cr.reason, cr.reason,
cr.recorder_name, cr.recorder_name,
DATE_FORMAT(MIN(cr.created_at), '%Y-%m-%d %H:%i:%s') as created_at, DATE_FORMAT(MIN(cr.created_at), '%%Y-%%m-%%d %%H:%%i:%%s') as created_at,
GROUP_CONCAT(s.name ORDER BY s.student_id SEPARATOR ', ') as student_names, GROUP_CONCAT(s.name ORDER BY s.student_id SEPARATOR ', ') as student_names,
COUNT(*) as student_count COUNT(*) as student_count
FROM conduct_records cr FROM conduct_records cr
JOIN students s ON cr.student_id = s.student_id JOIN students s ON cr.student_id = s.student_id
WHERE {where_clause} WHERE {where_clause}
GROUP BY cr.points_change, cr.reason, cr.recorder_id, DATE_FORMAT(cr.created_at, '%Y-%m-%d %H:%i') GROUP BY cr.points_change, cr.reason, cr.recorder_id, DATE_FORMAT(cr.created_at, '%%Y-%%m-%%d %%H:%%i')
ORDER BY MIN(cr.created_at) DESC ORDER BY MIN(cr.created_at) DESC
LIMIT %s OFFSET %s LIMIT %s OFFSET %s
""" """