From f75c15d6cd535aa78014378ad532de1df6be2f56 Mon Sep 17 00:00:00 2001
From: Krrish Dholakia <krrishdholakia@gmail.com>
Date: Sat, 1 Jun 2024 14:16:26 -0700
Subject: [PATCH] fix(proxy_server.py): security fix - fix sql injection attack
 on global spend logs

---
 litellm/proxy/proxy_server.py | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/litellm/proxy/proxy_server.py b/litellm/proxy/proxy_server.py
index 4d02f45245d0..4e7fb56bdb1b 100644
--- a/litellm/proxy/proxy_server.py
+++ b/litellm/proxy/proxy_server.py
@@ -8693,17 +8693,13 @@ async def global_spend_logs(
 
         return response
     else:
-        sql_query = (
-            """
+        sql_query = """
             SELECT * FROM "MonthlyGlobalSpendPerKey"
-            WHERE "api_key" = '"""
-            + api_key
-            + """'
+            WHERE "api_key" = $1
             ORDER BY "date";
-        """
-        )
+            """
 
-        response = await prisma_client.db.query_raw(query=sql_query)
+        response = await prisma_client.db.query_raw(sql_query, api_key)
 
         return response
     return