Prevent unknown column names from being passed to DB

Signed-off-by: simonmicro <simon@simonmicro.de>
2026-01-24 00:50:16 +01:00 · 2025-12-06 21:18:52 +01:00 · 2025-12-06 21:18:52 +01:00 · 6c57a8e5b4
parent 49fb60fe6b
commit 6c57a8e5b4
1 changed files with 2 additions and 1 deletions
--- a/py-kms/pykms_Sql.py
+++ b/py-kms/pykms_Sql.py
@ -109,8 +109,9 @@ def sql_update(dbName, infoDict):
                        # Update only changed columns
                        common_postfix = "WHERE clientMachineId=:clientMachineId AND applicationId=:applicationId"
                        def update_column_if_changed(column_name, new_value):
-                                assert column_name in _column_name_to_index, f"Unknown column name: {column_name}"
                                assert "clientMachineId" in infoDict and "applicationId" in infoDict, "infoDict must contain 'clientMachineId' and 'applicationId'"
+                                if column_name not in _column_name_to_index:
+                                        raise ValueError(f"Unknown column name: {column_name}")
                                if data[_column_name_to_index[column_name]] != new_value:
                                        query = f"UPDATE clients SET {column_name}=:value {common_postfix}"
                                        cur.execute(query, {"value": new_value, "clientMachineId": infoDict['clientMachineId'], "applicationId": infoDict['applicationId']})