Fix SQL parameter for query-rid action

It needs to be a tuple even when there's a single argument.

https://in.xfel.eu/redmine/issues/87389

cc @danilevc @schmidtp

Any reason you're not using an f-string?

Obligatory XKCD: https://xkcd.com/327/

I know we don't need to be particularly concerned about security for this, but using proper query parameters in SQL is just basic 'using databases properly'. In the same way that we want to use JSON for messages instead of eval-ing strings (but the SQL one was easier to fix).

Hmm, I missed actually answering the question properly

String formatting received data into an SQL query (whether with f-strings or sprintf) is how you get SQL injection vulnerabilities. Any time you combine data with code, you need to take care that the data is properly escaped so it can't turn into code. And this is the interface to do that in Python's database API. For more details, see https://docs.python.org/3/library/sqlite3.html (search 'substitution').

Well yeah true, I was thinking of something like f'{int(rid)}'. I used to write browser games in PHP 18 years ago, you know

Other than that, LGTM ^_^

merged

mentioned in commit 41c1041c