From 9e7dd28156af7e2a8a1be707588d43b90e39e539 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Mon, 2 Mar 2020 11:16:05 +0200
Subject: [PATCH] dspace_statistics_api/app.py: Use parameterized SQL queries

This is a better way to run SQL queries because psycopg2 takes care
of the quoting for us.
---
 dspace_statistics_api/app.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/dspace_statistics_api/app.py b/dspace_statistics_api/app.py
index e29f0e6..058e154 100644
--- a/dspace_statistics_api/app.py
+++ b/dspace_statistics_api/app.py
@@ -29,9 +29,8 @@ class AllItemsResource:
 
                 # get statistics and use limit and offset to page through results
                 cursor.execute(
-                    "SELECT id, views, downloads FROM items LIMIT {} OFFSET {}".format(
-                        limit, offset
-                    )
+                    "SELECT id, views, downloads FROM items LIMIT %s OFFSET %s",
+                    [limit, offset],
                 )
 
                 # create a list to hold dicts of item stats