From f72663f7ae4228a09a9b9d5b4329feaa49f5d163 Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Sat, 4 May 2024 14:21:44 +0000
Subject: [PATCH 1/2] Patched: "/tmp/tmpo6czq3yk/sqli/dao/user.py"

---
 sqli/dao/user.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sqli/dao/user.py b/sqli/dao/user.py
index c663ddc3..659ca1ac 100644
--- a/sqli/dao/user.py
+++ b/sqli/dao/user.py
@@ -1,4 +1,4 @@
-from hashlib import md5
+from hashlib import sha256
 from typing import NamedTuple, Optional
 
 from aiopg import Connection
@@ -38,4 +38,5 @@ async def get_by_username(conn: Connection, username: str):
             return User.from_raw(await cur.fetchone())
 
     def check_password(self, password: str):
-        return self.pwd_hash == md5(password.encode('utf-8')).hexdigest()
+        return self.pwd_hash == sha256(password.encode('utf-8')).hexdigest()
+

From 293c7404b39b8aac3af23bd4b53f010f129b9ec0 Mon Sep 17 00:00:00 2001
From: "patched.codes[bot]"
 <298395+patched.codes[bot]@users.noreply.github.com>
Date: Sat, 4 May 2024 14:21:44 +0000
Subject: [PATCH 2/2] Patched: "/tmp/tmpo6czq3yk/sqli/dao/student.py"

---
 sqli/dao/student.py | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/sqli/dao/student.py b/sqli/dao/student.py
index d41ef885..a770ea2f 100644
--- a/sqli/dao/student.py
+++ b/sqli/dao/student.py
@@ -25,13 +25,13 @@ async def get(conn: Connection, id_: int):
     async def get_many(conn: Connection, limit: Optional[int] = None,
                        offset: Optional[int] = None):
         q = 'SELECT id, name FROM students'
-        params = {}
+        params = []
         if limit is not None:
-            q += ' LIMIT + %(limit)s '
-            params['limit'] = limit
+            q += ' LIMIT %s'
+            params.append(limit)
         if offset is not None:
-            q += ' OFFSET + %(offset)s '
-            params['offset'] = offset
+            q += ' OFFSET %s'
+            params.append(offset)
         async with conn.cursor() as cur:
             await cur.execute(q, params)
             results = await cur.fetchall()
@@ -39,9 +39,8 @@ async def get_many(conn: Connection, limit: Optional[int] = None,
 
     @staticmethod
     async def create(conn: Connection, name: str):
-        q = ("INSERT INTO students (name) "
-             "VALUES ('%(name)s')" % {'name': name})
         async with conn.cursor() as cur:
-            await cur.execute(q)
-
-
+            await cur.execute(
+                "INSERT INTO students (name) VALUES (%s)",
+                (name,)
+            )