patched-codes · patched-codes · Dec 19, 2024 · Dec 19, 2024
diff --git a/sqli/dao/student.py b/sqli/dao/student.py
@@ -24,13 +24,33 @@ async def get(conn: Connection, id_: int):
     @staticmethod
     async def get_many(conn: Connection, limit: Optional[int] = None,
                        offset: Optional[int] = None):
+        """Safely retrieves multiple students with optional pagination using SQL injection safe parameterized queries.
+
+        Created by Patched
+
+        This implementation uses proper SQL parameter binding with psycopg2's %(param)s style placeholders
+        and a separate params dictionary. This approach prevents SQL injection by:
+        1. Ensuring parameters are properly escaped and quoted by the database driver
+        2. Keeping the query structure separate from the parameter values
+        3. Avoiding vulnerable string formatting (like the one used in create() method)
+
+        Args:
+            conn: Database connection
+            limit: Optional maximum number of records to return
+            offset: Optional number of records to skip
+        """
         q = 'SELECT id, name FROM students'
         params = {}
+        # Safely add LIMIT clause using parameterized query - prevents SQL injection
+        # by using %(limit)s placeholder instead of unsafe string formatting
         if limit is not None:
-            q += ' LIMIT + %(limit)s '
+            q += ' LIMIT %(limit)s '
             params['limit'] = limit
+
+        # Safely add OFFSET clause using the same secure parameterization approach
+        # The params dictionary is passed to execute() which handles proper escaping
         if offset is not None:
-            q += ' OFFSET + %(offset)s '
+            q += ' OFFSET %(offset)s '
             params['offset'] = offset
         async with conn.cursor() as cur:
             await cur.execute(q, params)