From 8b235580a2dbf13ca55dd873c5143b9020f2294a Mon Sep 17 00:00:00 2001
From: Yizhe Shen <brrr@live.ca>
Date: Sun, 9 Feb 2014 23:35:33 -0500
Subject: [PATCH] Fix for secure SQL operations.

Removed Python string operations from SQL operations.
---
 settings/wolfgame.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/settings/wolfgame.py b/settings/wolfgame.py
index 45e7854..a3c1473 100644
--- a/settings/wolfgame.py
+++ b/settings/wolfgame.py
@@ -287,7 +287,7 @@ def update_game_stats(size, vwon, wwon):
         vwins, wwins, total = 0, 0, 0
         
         c.execute("SELECT villagewins, wolfwins, totalgames FROM gamestats "+
-                   "WHERE size = %d" % size)
+                   "WHERE size=?", (size,))
         row = c.fetchone()
         if row:
             vwins, wwins, total = row
@@ -303,14 +303,14 @@ def update_game_stats(size, vwon, wwon):
         
 def get_player_stats(player, role):
     with conn:
-        for row in c.execute("SELECT * FROM rolestats WHERE player = '%s' AND role = '%s'" % (player, role)):
+        for row in c.execute("SELECT * FROM rolestats WHERE player=? AND role=?", (player, role)):
             return "As {2}, {0} has {3} team wins, {4} individual wins, and {5} total games.".format(player, *row)
         else:
             return ""
 
 def get_game_stats(size):
     with conn:
-        for row in c.execute("SELECT * FROM gamestats WHERE size = %d" % (size)):
+        for row in c.execute("SELECT * FROM gamestats WHERE size=?", (size,)):
             return "{0} player games: {1} village wins, {2} wolf wins, and {3} total games.".format(*row)
         else:
             return ""
@@ -319,7 +319,7 @@ def get_game_totals():
     sizeList = []
     with conn:
         for size in range(4, MAX_PLAYERS):
-            c.execute("SELECT size, totalgames FROM gamestats WHERE size = %d" % size)
+            c.execute("SELECT size, totalgames FROM gamestats WHERE size=?", (size,))
             row = c.fetchone()
             if row:
                 sizeList.append("{0}p({1})".format(*row))