From fa2797e656e3dba18f990a2db1f0f029d41f1921 Mon Sep 17 00:00:00 2001
From: Eric Deutsch <edeutsch@systemsbiology.org>
Date: Wed, 20 Apr 2022 18:38:35 +0000
Subject: [PATCH] avoid SQL injection exploits

---
 code/autocomplete/rtxcomplete.py | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/code/autocomplete/rtxcomplete.py b/code/autocomplete/rtxcomplete.py
index 714398532..4ad23484d 100644
--- a/code/autocomplete/rtxcomplete.py
+++ b/code/autocomplete/rtxcomplete.py
@@ -23,6 +23,7 @@ def load():
     database_name = f"{autocomplete_filepath}{os.path.sep}{RTXConfig.autocomplete_path.split('/')[-1]}"
     conn = sqlite3.connect(database_name)
     cursor = conn.cursor()
+    #print(f"INFO: Connected to {database_name}",file=sys.stderr)
     return True
 
 
@@ -39,6 +40,9 @@ def get_nodes_like(word,requested_limit):
     if len(word) < 2:
         return values
 
+    #### Try to avoid SQL injection exploits by sanitizing input #1823
+    word = word.replace('"','')
+
     floor = word[:-1]
     ceiling = floor + 'zz'
 
@@ -103,8 +107,12 @@ def get_nodes_like(word,requested_limit):
         if found_fragment is None:
 
             #### Cache this fragment in the database
-            cursor.execute("INSERT INTO cached_fragments(fragment) VALUES(?)", (word,))
-            fragment_id = cursor.lastrowid
+            try:
+                cursor.execute("INSERT INTO cached_fragments(fragment) VALUES(?)", (word,))
+                fragment_id = cursor.lastrowid
+            except:
+                print(f"ERROR: Unable to INSERT into cached_fragments(fragment)",file=sys.stderr)
+                fragment_id = 0
             if debug:
                 print(f"fragment_id = {fragment_id}")