refactor: Update SQL queries to use parameterized queries in trading_plan.py

2025-02-11 19:12:14 -08:00 · 2025-02-11 19:12:14 -08:00 · a47cd3e1cc
commit a47cd3e1cc
parent 85d7638ef4
1 changed files with 10 additions and 7 deletions
--- a/src/trading/trading_plan.py
+++ b/src/trading/trading_plan.py
@ -329,12 +329,15 @@ def link_trades_to_plan(plan_id: int, trade_ids: List[int]) -> bool:
        try:
            # Update trades to link them to the plan
            trade_ids_str = ", ".join(map(str, trade_ids))
-            query = f"""
+            query = """
                ALTER TABLE stock_db.trades
-                UPDATE plan_id = {plan_id}
-                WHERE id IN ({trade_ids_str})
+                UPDATE plan_id = %(plan_id)s
+                WHERE id IN (%(trade_ids)s)
            """
-            client.command(query)
+            client.command(query, {
+                'plan_id': plan_id,
+                'trade_ids': trade_ids_str
+            })
            return True
        except Exception as e:
            print(f"Error linking trades to plan: {e}")
@ -343,13 +346,13 @@ def link_trades_to_plan(plan_id: int, trade_ids: List[int]) -> bool:
 def get_plan_trades(plan_id: int) -> List[dict]:
    """Get all trades associated with a trading plan"""
    with create_client() as client:
-        query = f"""
+        query = """
            SELECT *
            FROM stock_db.trades
-            WHERE plan_id = {plan_id}
+            WHERE plan_id = %(plan_id)s
            ORDER BY entry_date DESC
        """
-        result = client.query(query)
+        result = client.query(query, {'plan_id': plan_id})
        return [dict(zip(
            ['id', 'position_id', 'ticker', 'entry_date', 'shares', 'entry_price',
             'target_price', 'stop_loss', 'strategy', 'order_type', 'direction',