Ticket #121: change_all_sql.patch

File change_all_sql.patch, 36.3 KB (added by rmunn@…, 19 years ago)

Patch to quote all SQL identifiers with db.quote_name()

  • django/models/auth.py

     
    8686        if not hasattr(self, '_group_perm_cache'):
    8787            import sets
    8888            cursor = db.cursor()
    89             cursor.execute("""
    90                 SELECT p.package, p.codename
    91                 FROM auth_permissions p, auth_groups_permissions gp, auth_users_groups ug
    92                 WHERE p.id = gp.permission_id
    93                     AND gp.group_id = ug.group_id
    94                     AND ug.user_id = %s""", [self.id])
     89            # The SQL below works out to the following after db quoting:
     90            #cursor.execute("""
     91            #    SELECT p.package, p.codename
     92            #    FROM auth_permissions p, auth_groups_permissions gp, auth_users_groups ug
     93            #    WHERE p.id = gp.permission_id
     94            #        AND gp.group_id = ug.group_id
     95            #        AND ug.user_id = %s""", [self.id])
     96            sql = """
     97                SELECT p.%s, p.%s
     98                FROM %s p, %s gp, %s ug
     99                WHERE p.%s = gp.%s
     100                    AND gp.%s = ug.%s
     101                    AND ug.%s = %%s""" % (
     102                db.quote_name("package"), db.quote_name("codename"),
     103                db.quote_name("auth_permissions"), db.quote_name("auth_groups_permissions"), db.quote_name("auth_users_groups"),
     104                db.quote_name("id"), db.quote_name("permission_id"),
     105                db.quote_name("group_id"), db.quote_name("group_id"),
     106                db.quote_name("user_id"))
     107            cursor.execute(sql, [self.id])
    95108            self._group_perm_cache = sets.Set(["%s.%s" % (row[0], row[1]) for row in cursor.fetchall()])
    96109        return self._group_perm_cache
    97110

  • django/bin/daily_cleanup.py

     
    77def clean_up():
    88    # Clean up old database records
    99    cursor = db.cursor()
    10     cursor.execute("DELETE FROM auth_sessions WHERE start_time < NOW() - INTERVAL '2 weeks'")
    11     cursor.execute("DELETE FROM registration_challenges WHERE request_date < NOW() - INTERVAL '1 week'")
     10    cursor.execute("DELETE FROM %s WHERE %s < NOW() - INTERVAL '2 weeks'" % (db.quote_name("auth_sessions"), db.quote_name("start_time")))
     11    cursor.execute("DELETE FROM %s WHERE %s < NOW() - INTERVAL '1 week'" % (db.quote_name("registration_challenges"), db.quote_name("request_date")))
    1212    db.commit()
    1313
    1414if __name__ == "__main__":

  • django/core/management.py

     
    2020ADMIN_TEMPLATE_DIR = os.path.join(django.__path__[0], 'conf/admin_templates')
    2121
    2222def _get_packages_insert(app_label):
    23     return "INSERT INTO packages (label, name) VALUES ('%s', '%s');" % (app_label, app_label)
     23    from django.core import db
     24    return "INSERT INTO %s (%s, %s) VALUES ('%s', '%s');" % (
     25        db.quote_name("packages"), db.quote_name("label"), db.quote_name("name"),
     26        app_label, app_label)
    2427
    2528def _get_permission_codename(action, opts):
    2629    return '%s_%s' % (action, opts.object_name.lower())
     
    3437    return perms + list(opts.permissions)
    3538
    3639def _get_permission_insert(name, codename, opts):
    37     return "INSERT INTO auth_permissions (name, package, codename) VALUES ('%s', '%s', '%s');" % \
    38         (name.replace("'", "''"), opts.app_label, codename)
     40    from django.core import db
     41    return "INSERT INTO %s (%s, %s, %s) VALUES ('%s', '%s', '%s');" % (
     42        db.quote_name("auth_permissions"), db.quote_name("name"), db.quote_name("package"), db.quote_name("codename"),
     43        name.replace("'", "''"), opts.app_label, codename)
    3944
    4045def _get_contenttype_insert(opts):
    41     return "INSERT INTO content_types (name, package, python_module_name) VALUES ('%s', '%s', '%s');" % \
    42         (opts.verbose_name, opts.app_label, opts.module_name)
     46    from django.core import db
     47    return "INSERT INTO %s (%s, %s, %s) VALUES ('%s', '%s', '%s');" % (
     48        db.quote_name("content_types"), db.quote_name("name"), db.quote_name("package"), db.quote_name("python_module_name"),
     49        opts.verbose_name, opts.app_label, opts.module_name)
    4350
    4451def _is_valid_dir_name(s):
    4552    return bool(re.search(r'^\w+$', s))
     
    6774                data_type = f.__class__.__name__
    6875            col_type = db.DATA_TYPES[data_type]
    6976            if col_type is not None:
    70                 field_output = [f.name, col_type % rel_field.__dict__]
     77                field_output = [db.quote_name(f.name), col_type % rel_field.__dict__]
    7178                field_output.append('%sNULL' % (not f.null and 'NOT ' or ''))
    7279                if f.unique:
    7380                    field_output.append('UNIQUE')
     
    7582                    field_output.append('PRIMARY KEY')
    7683                if f.rel:
    7784                    field_output.append('REFERENCES %s (%s)' % \
    78                         (f.rel.to.db_table, f.rel.to.get_field(f.rel.field_name).name))
     85                        (db.quote_name(f.rel.to.db_table), db.quote_name(f.rel.to.get_field(f.rel.field_name).name)))
    7986                table_output.append(' '.join(field_output))
    8087        if opts.order_with_respect_to:
    81             table_output.append('_order %s NULL' % db.DATA_TYPES['IntegerField'])
     88            table_output.append('%s %s NULL' % (db.quote_name("_order"), db.DATA_TYPES['IntegerField']))
    8289        for field_constraints in opts.unique_together:
    83             table_output.append('UNIQUE (%s)' % ", ".join(field_constraints))
     90            table_output.append('UNIQUE (%s)' % ", ".join([db.quote_name(s) for s in field_constraints]))
    8491
    85         full_statement = ['CREATE TABLE %s (' % opts.db_table]
     92        full_statement = ['CREATE TABLE %s (' % db.quote_name(opts.db_table)]
    8693        for i, line in enumerate(table_output): # Combine and add commas.
    8794            full_statement.append('    %s%s' % (line, i < len(table_output)-1 and ',' or ''))
    8895        full_statement.append(');')
     
    9198    for klass in mod._MODELS:
    9299        opts = klass._meta
    93100        for f in opts.many_to_many:
    94             table_output = ['CREATE TABLE %s (' % f.get_m2m_db_table(opts)]
    95             table_output.append('    id %s NOT NULL PRIMARY KEY,' % db.DATA_TYPES['AutoField'])
    96             table_output.append('    %s_id %s NOT NULL REFERENCES %s (%s),' % \
    97                 (opts.object_name.lower(), db.DATA_TYPES['IntegerField'], opts.db_table, opts.pk.name))
    98             table_output.append('    %s_id %s NOT NULL REFERENCES %s (%s),' % \
    99                 (f.rel.to.object_name.lower(), db.DATA_TYPES['IntegerField'], f.rel.to.db_table, f.rel.to.pk.name))
    100             table_output.append('    UNIQUE (%s_id, %s_id)' % (opts.object_name.lower(), f.rel.to.object_name.lower()))
     101            table_output = ['CREATE TABLE %s (' % db.quote_name(f.get_m2m_db_table(opts))]
     102            table_output.append('    %s %s NOT NULL PRIMARY KEY,' % (
     103                db.quote_name("id"), db.DATA_TYPES['AutoField']))
     104            table_output.append('    %s %s NOT NULL REFERENCES %s (%s),' % (
     105                db.quote_name(opts.object_name.lower() + '_id'), db.DATA_TYPES['IntegerField'],
     106                db.quote_name(opts.db_table), db.quote_name(opts.pk.name)))
     107            table_output.append('    %s %s NOT NULL REFERENCES %s (%s),' % (
     108                db.quote_name(f.rel.to.object_name.lower() + '_id'), db.DATA_TYPES['IntegerField'],
     109                db.quote_name(f.rel.to.db_table), db.quote_name(f.rel.to.pk.name)))
     110            table_output.append('    UNIQUE (%s, %s)' % (
     111                db.quote_name(opts.object_name.lower() + '_id'), db.quote_name(f.rel.to.object_name.lower() + '_id')))
    101112            table_output.append(');')
    102113            final_output.append('\n'.join(table_output))
    103114    return final_output
     
    116127        try:
    117128            if cursor is not None:
    118129                # Check whether the table exists.
    119                 cursor.execute("SELECT 1 FROM %s LIMIT 1" % klass._meta.db_table)
     130                cursor.execute("SELECT 1 FROM %s LIMIT 1" % db.quote_name(klass._meta.db_table))
    120131        except:
    121132            # The table doesn't exist, so it doesn't need to be dropped.
    122133            db.db.rollback()
    123134        else:
    124             output.append("DROP TABLE %s;" % klass._meta.db_table)
     135            output.append("DROP TABLE %s;" % db.quote_name(klass._meta.db_table))
    125136    for klass in mod._MODELS:
    126137        opts = klass._meta
    127138        for f in opts.many_to_many:
    128139            try:
    129140                if cursor is not None:
    130                     cursor.execute("SELECT 1 FROM %s LIMIT 1" % f.get_m2m_db_table(opts))
     141                    cursor.execute("SELECT 1 FROM %s LIMIT 1" % db.quote_name(f.get_m2m_db_table(opts)))
    131142            except:
    132143                db.db.rollback()
    133144            else:
    134                 output.append("DROP TABLE %s;" % f.get_m2m_db_table(opts))
     145                output.append("DROP TABLE %s;" % db.quote_name(f.get_m2m_db_table(opts)))
    135146
    136147    app_label = mod._MODELS[0]._meta.app_label
    137148
    138149    # Delete from packages, auth_permissions, content_types.
    139     output.append("DELETE FROM packages WHERE label = '%s';" % app_label)
    140     output.append("DELETE FROM auth_permissions WHERE package = '%s';" % app_label)
    141     output.append("DELETE FROM content_types WHERE package = '%s';" % app_label)
     150    output.append("DELETE FROM %s WHERE %s = '%s';" % (db.quote_name("packages"), db.quote_name("label"), app_label))
     151    output.append("DELETE FROM %s WHERE %s = '%s';" % (db.quote_name("auth_permissions"), db.quote_name("package"), app_label))
     152    output.append("DELETE FROM %s WHERE %s = '%s';" % (db.quote_name("content_types"), db.quote_name("package"), app_label))
    142153
    143154    # Delete from the admin log.
    144155    if cursor is not None:
    145         cursor.execute("SELECT id FROM content_types WHERE package = %s", [app_label])
     156        cursor.execute("SELECT %s FROM %s WHERE %s = %%s" % (
     157            db.quote_name("id"), db.quote_name("content_types"), db.quote_name("package")),
     158            [app_label])
    146159        for row in cursor.fetchall():
    147             output.append("DELETE FROM auth_admin_log WHERE content_type_id = %s;" % row[0])
     160            output.append("DELETE FROM %s WHERE %s = %s;" % (db.quote_name("auth_admin_log"), db.quote_name("content_type_id"), row[0]))
    148161
    149162    return output[::-1] # Reverse it, to deal with table dependencies.
    150163get_sql_delete.help_doc = "Prints the DROP TABLE SQL statements for the given app(s)."
     
    181194
    182195def get_sql_sequence_reset(mod):
    183196    "Returns a list of the SQL statements to reset PostgreSQL sequences for the given module."
    184     from django.core import meta
     197    from django.core import db, meta
    185198    output = []
    186199    for klass in mod._MODELS:
    187200        for f in klass._meta.fields:
    188201            if isinstance(f, meta.AutoField):
    189                 output.append("SELECT setval('%s_%s_seq', (SELECT max(%s) FROM %s));" % (klass._meta.db_table, f.name, f.name, klass._meta.db_table))
     202                output.append("SELECT setval('%s_%s_seq', (SELECT max(%s) FROM %s));" % (klass._meta.db_table, f.name,
     203                    db.quote_name(f.name), db.quote_name(klass._meta.db_table)))
    190204    return output
    191205get_sql_sequence_reset.help_doc = "Prints the SQL statements for resetting PostgreSQL sequences for the given app(s)."
    192206get_sql_sequence_reset.args = APP_ARGS
    193207
    194208def get_sql_indexes(mod):
    195209    "Returns a list of the CREATE INDEX SQL statements for the given module."
     210    from django.core import db
    196211    output = []
    197212    for klass in mod._MODELS:
    198213        for f in klass._meta.fields:
    199214            if f.db_index:
    200215                unique = f.unique and "UNIQUE " or ""
    201                 output.append("CREATE %sINDEX %s_%s ON %s (%s);" % \
    202                     (unique, klass._meta.db_table, f.name, klass._meta.db_table, f.name))
     216                output.append("CREATE %sINDEX %s ON %s (%s);" % \
     217                    (unique, db.quote_name(klass._meta.db_table + '_' + f.name),
     218                    db.quote_name(klass._meta.db_table), db.quote_name(f.name)))
    203219    return output
    204220get_sql_indexes.help_doc = "Prints the CREATE INDEX SQL statements for the given app(s)."
    205221get_sql_indexes.args = APP_ARGS
     
    217233    app_label = mod._MODELS[0]._meta.app_label
    218234
    219235    # Check that the package exists in the database.
    220     cursor.execute("SELECT 1 FROM packages WHERE label = %s", [app_label])
     236    cursor.execute("SELECT 1 FROM %s WHERE %s = %%s" % (
     237        db.quote_name("package"), db.quote_name("label")),
     238        [app_label])
    221239    if cursor.rowcount < 1:
    222240#         sys.stderr.write("The '%s' package isn't installed.\n" % app_label)
    223241        print _get_packages_insert(app_label)
     
    231249        perms_seen.update(dict(perms))
    232250        contenttypes_seen[opts.module_name] = 1
    233251        for codename, name in perms:
    234             cursor.execute("SELECT 1 FROM auth_permissions WHERE package = %s AND codename = %s", (app_label, codename))
     252            cursor.execute("SELECT 1 FROM %s WHERE %s = %%s AND %s = %%s" % (
     253                db.quote_name("auth_permissions"), db.quote_name("package"), db.quote_name("codename")),
     254                (app_label, codename))
    235255            if cursor.rowcount < 1:
    236256#                 sys.stderr.write("The '%s.%s' permission doesn't exist.\n" % (app_label, codename))
    237257                print _get_permission_insert(name, codename, opts)
    238         cursor.execute("SELECT 1 FROM content_types WHERE package = %s AND python_module_name = %s", (app_label, opts.module_name))
     258        cursor.execute("SELECT 1 FROM %s WHERE %s = %%s AND %s = %%s" % (
     259            db.quote_name("content_types"), db.quote_name("package"), db.quote_name("python_module_name")),
     260            (app_label, opts.module_name))
    239261        if cursor.rowcount < 1:
    240262#             sys.stderr.write("The '%s.%s' content type doesn't exist.\n" % (app_label, opts.module_name))
    241263            print _get_contenttype_insert(opts)
    242264
    243265    # Check that there aren't any *extra* permissions in the DB that the model
    244266    # doesn't know about.
    245     cursor.execute("SELECT codename FROM auth_permissions WHERE package = %s", (app_label,))
     267    cursor.execute("SELECT %s FROM %s WHERE %s = %%s" % (
     268        db.quote_name("codename"), db.quote_name("auth_permissions"), db.quote_name("package")),
     269        (app_label,))
    246270    for row in cursor.fetchall():
    247271        try:
    248272            perms_seen[row[0]]
    249273        except KeyError:
    250274#             sys.stderr.write("A permission called '%s.%s' was found in the database but not in the model.\n" % (app_label, row[0]))
    251             print "DELETE FROM auth_permissions WHERE package='%s' AND codename = '%s';" % (app_label, row[0])
     275            print "DELETE FROM %s WHERE %s='%s' AND %s = '%s';" % (db.quote_name("auth_permissions"),
     276                db.quote_name("package"), app_label, db.quote_name("codename"), row[0])
    252277
    253278    # Check that there aren't any *extra* content types in the DB that the
    254279    # model doesn't know about.
    255     cursor.execute("SELECT python_module_name FROM content_types WHERE package = %s", (app_label,))
     280    cursor.execute("SELECT %s FROM %s WHERE %s = %%s" % (db.quote_name("python_module_name"),
     281        db.quote_name("content_types"), db.quote_name("package")), (app_label,))
    256282    for row in cursor.fetchall():
    257283        try:
    258284            contenttypes_seen[row[0]]
    259285        except KeyError:
    260286#             sys.stderr.write("A content type called '%s.%s' was found in the database but not in the model.\n" % (app_label, row[0]))
    261             print "DELETE FROM content_types WHERE package='%s' AND python_module_name = '%s';" % (app_label, row[0])
     287            print "DELETE FROM %s WHERE %s='%s' AND %s = '%s';" % (db.quote_name("content_types"),
     288                db.quote_name("package"), app_label, db.quote_name("python_module_name"), row[0])
    262289database_check.help_doc = "Checks that everything is installed in the database for the given app(s) and prints SQL statements if needed."
    263290database_check.args = APP_ARGS
    264291
     
    293320        cursor = db.db.cursor()
    294321        for sql in get_sql_create(core) + get_sql_create(auth) + get_sql_initial_data(core) + get_sql_initial_data(auth):
    295322            cursor.execute(sql)
    296         cursor.execute("INSERT INTO %s (domain, name) VALUES ('mysite.com', 'My Django site')" % core.Site._meta.db_table)
     323        cursor.execute("INSERT INTO %s (%s, %s) VALUES ('mysite.com', 'My Django site')" % (db.quote_name(core.Site._meta.db_table),
     324            db.quote_name("domain"), db.quote_name("name")))
    297325    except Exception, e:
    298326        sys.stderr.write("Error: The database couldn't be initialized. Here's the full exception:\n%s\n" % e)
    299327        db.db.rollback()

  • django/core/meta.py

     
    4747capfirst = lambda x: x and x[0].upper() + x[1:]
    4848
    4949# prepares a value for use in a LIKE query
    50 prep_for_like_query = lambda x: str(x).replace("%", "\%").replace("_", "\_")
     50prep_for_like_query = lambda x: str(x).replace("%", r"\%").replace("_", r"\_")
    5151
    5252# returns the <ul> class for a given radio_admin value
    5353get_ul_class = lambda x: 'radiolist%s' % ((x == HORIZONTAL) and ' inline' or '')
     
    7272        return new_order_list
    7373
    7474def orderlist2sql(order_list, prefix=''):
     75    if prefix.endswith('.'):
     76        prefix = db.quote_name(prefix[:-1])+'.'
    7577    output = []
    7678    for f in handle_legacy_orderlist(order_list):
    7779        if f.startswith('-'):
    78             output.append('%s%s DESC' % (prefix, f[1:]))
     80            output.append('%s%s DESC' % (prefix, db.quote_name(f[1:])))
    7981        elif f == '?':
    8082            output.append('RANDOM()')
    8183        else:
    82             output.append('%s%s ASC' % (prefix, f))
     84            output.append('%s%s ASC' % (prefix, db.quote_name(f)))
    8385    return ', '.join(output)
    8486
    8587def curry(*args, **kwargs):
     
    740742    # primary key field is set manually.
    741743    if isinstance(opts.pk.rel, OneToOne):
    742744        cursor.execute("UPDATE %s SET %s WHERE %s=%%s" % \
    743             (opts.db_table, ','.join(['%s=%%s' % f.name for f in non_pks]),
    744             opts.pk.name), db_values + [getattr(self, opts.pk.name)])
     745            (db.quote_name(opts.db_table),
     746            ','.join(['%s=%%s' % db.quote_name(f.name) for f in non_pks]),
     747            db.quote_name(opts.pk.name)), db_values + [getattr(self, opts.pk.name)])
    745748        if cursor.rowcount == 0: # If nothing was updated, add the record.
    746             field_names = [f.name for f in opts.fields]
     749            field_names = [db.quote_name(f.name) for f in opts.fields]
    747750            placeholders = ['%s'] * len(field_names)
    748751            cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \
    749                 (opts.db_table, ','.join(field_names), ','.join(placeholders)),
     752                (db.quote_name(opts.db_table), ','.join(field_names), ','.join(placeholders)),
    750753                [f.get_db_prep_save(getattr(self, f.name), add=True) for f in opts.fields])
    751754    else:
    752755        if not add:
    753756            cursor.execute("UPDATE %s SET %s WHERE %s=%%s" % \
    754                 (opts.db_table, ','.join(['%s=%%s' % f.name for f in non_pks]),
    755                 opts.pk.name), db_values + [getattr(self, opts.pk.name)])
     757                (db.quote_name(opts.db_table), ','.join(['%s=%%s' % db.quote_name(f.name) for f in non_pks]),
     758                db.quote_name(opts.pk.name)), db_values + [getattr(self, opts.pk.name)])
    756759        else:
    757             field_names = [f.name for f in non_pks]
     760            field_names = [db.quote_name(f.name) for f in non_pks]
    758761            placeholders = ['%s'] * len(field_names)
    759762            if opts.order_with_respect_to:
    760                 field_names.append('_order')
     763                field_names.append(db.quote_name('_order'))
    761764                placeholders.append('(SELECT COUNT(*) FROM %s WHERE %s = %%s)' % \
    762                     (opts.db_table, opts.order_with_respect_to.name))
     765                    (db.quote_name(opts.db_table), db.quote_name(opts.order_with_respect_to.name)))
    763766                db_values.append(getattr(self, opts.order_with_respect_to.name))
    764767            cursor.execute("INSERT INTO %s (%s) VALUES (%s)" % \
    765                 (opts.db_table, ','.join(field_names), ','.join(placeholders)), db_values)
     768                (db.quote_name(opts.db_table), ','.join(field_names), ','.join(placeholders)), db_values)
    766769            setattr(self, opts.pk.name, db.get_last_insert_id(cursor, opts.db_table, opts.pk.name))
    767770    db.db.commit()
    768771    # Run any post-save hooks.
     
    785788            for sub_obj in getattr(self, 'get_%s_list' % rel_opts_name)():
    786789                sub_obj.delete()
    787790    for rel_opts, rel_field in opts.get_all_related_many_to_many_objects():
    788         cursor.execute("DELETE FROM %s WHERE %s_id=%%s" % (rel_field.get_m2m_db_table(rel_opts),
    789             self._meta.object_name.lower()), [getattr(self, opts.pk.name)])
    790     cursor.execute("DELETE FROM %s WHERE %s=%%s" % (opts.db_table, opts.pk.name), [getattr(self, opts.pk.name)])
     791        cursor.execute("DELETE FROM %s WHERE %s=%%s" % (db.quote_name(rel_field.get_m2m_db_table(rel_opts)),
     792            db.quote_name(self._meta.object_name.lower()) + '_id'), [getattr(self, opts.pk.name)])
     793    cursor.execute("DELETE FROM %s WHERE %s=%%s" % (db.quote_name(opts.db_table), db.quote_name(opts.pk.name)), [getattr(self, opts.pk.name)])
    791794    db.db.commit()
    792795    setattr(self, opts.pk.name, None)
    793796    for f in opts.fields:
     
    801804def method_get_next_in_order(opts, order_field, self):
    802805    if not hasattr(self, '_next_in_order_cache'):
    803806        self._next_in_order_cache = opts.get_model_module().get_object(order_by=('_order',),
    804             where=['_order > (SELECT _order FROM %s WHERE %s=%%s)' % (opts.db_table, opts.pk.name),
    805                 '%s=%%s' % order_field.name], limit=1,
     807            where=['_order > (SELECT _order FROM %s WHERE %s=%%s)' % (db.quote_name(opts.db_table), db.quote_name(opts.pk.name)),
     808                '%s=%%s' % db.quote_name(order_field.name)], limit=1,
    806809            params=[getattr(self, opts.pk.name), getattr(self, order_field.name)])
    807810    return self._next_in_order_cache
    808811
    809812def method_get_previous_in_order(opts, order_field, self):
    810813    if not hasattr(self, '_previous_in_order_cache'):
    811814        self._previous_in_order_cache = opts.get_model_module().get_object(order_by=('-_order',),
    812             where=['_order < (SELECT _order FROM %s WHERE %s=%%s)' % (opts.db_table, opts.pk.name),
    813                 '%s=%%s' % order_field.name], limit=1,
     815            where=['_order < (SELECT _order FROM %s WHERE %s=%%s)' % (db.quote_name(opts.db_table), db.quote_name(opts.pk.name)),
     816                '%s=%%s' % db.quote_name(order_field.name)], limit=1,
    814817            params=[getattr(self, opts.pk.name), getattr(self, order_field.name)])
    815818    return self._previous_in_order_cache
    816819
     
    835838    cache_var = '_%s_cache' % field_with_rel.name
    836839    if not hasattr(self, cache_var):
    837840        mod = rel.get_model_module()
    838         sql = "SELECT %s FROM %s a, %s b WHERE a.%s = b.%s_id AND b.%s_id = %%s %s" % \
    839             (','.join(['a.%s' % f.name for f in rel.fields]), rel.db_table,
    840             field_with_rel.get_m2m_db_table(self._meta), rel.pk.name,
    841             rel.object_name.lower(), self._meta.object_name.lower(), rel.get_order_sql('a'))
     841        sql = "SELECT %s FROM %s a, %s b WHERE a.%s = b.%s AND b.%s = %%s %s" % \
     842            (','.join(['a.%s' % db.quote_name(f.name) for f in rel.fields]), db.quote_name(rel.db_table),
     843            db.quote_name(field_with_rel.get_m2m_db_table(self._meta)), db.quote_name(rel.pk.name),
     844            db.quote_name(rel.object_name.lower() + '_id'), db.quote_name(self._meta.object_name.lower() + '_id'),
     845            rel.get_order_sql('a'))
    842846        cursor = db.db.cursor()
    843847        cursor.execute(sql, [getattr(self, self._meta.pk.name)])
    844848        setattr(self, cache_var, [getattr(mod, rel.object_name)(*row) for row in cursor.fetchall()])
     
    864868    cursor = db.db.cursor()
    865869    this_id = getattr(self, self._meta.pk.name)
    866870    if ids_to_delete:
    867         sql = "DELETE FROM %s WHERE %s_id = %%s AND %s_id IN (%s)" % (m2m_table, self._meta.object_name.lower(), rel.object_name.lower(), ','.join(map(str, ids_to_delete)))
     871        sql = "DELETE FROM %s WHERE %s = %%s AND %s IN (%s)" % (db.quote_name(m2m_table),
     872            db.quote_name(self._meta.object_name.lower() + '_id'), db.quote_name(rel.object_name.lower() + '_id'),
     873            ','.join(map(str, ids_to_delete)))
    868874        cursor.execute(sql, [this_id])
    869875    if ids_to_add:
    870         sql = "INSERT INTO %s (%s_id, %s_id) VALUES (%%s, %%s)" % (m2m_table, self._meta.object_name.lower(), rel.object_name.lower())
     876        sql = "INSERT INTO %s (%s, %s) VALUES (%%s, %%s)" % (db.quote_name(m2m_table),
     877            db.quote_name(self._meta.object_name.lower() + '_id'), db.quote_name(rel.object_name.lower() + '_id'))
    871878        cursor.executemany(sql, [(this_id, i) for i in ids_to_add])
    872879    db.db.commit()
    873880    try:
     
    910917    m2m_table = rel_field.get_m2m_db_table(rel_opts)
    911918    this_id = getattr(self, self._meta.pk.name)
    912919    cursor = db.db.cursor()
    913     cursor.execute("DELETE FROM %s WHERE %s_id = %%s" % (m2m_table, rel.object_name.lower()), [this_id])
    914     sql = "INSERT INTO %s (%s_id, %s_id) VALUES (%%s, %%s)" % (m2m_table, rel.object_name.lower(), rel_opts.object_name.lower())
     920    cursor.execute("DELETE FROM %s WHERE %s = %%s" % (db.quote_name(m2m_table), db.quote_name(rel.object_name.lower() + '_id')), [this_id])
     921    sql = "INSERT INTO %s (%s, %s) VALUES (%%s, %%s)" % (db.quote_name(m2m_table),
     922        db.quote_name(rel.object_name.lower() + '_id'),
     923        db.quote_name(rel_opts.object_name.lower() + '_id'))
    915924    cursor.executemany(sql, [(this_id, i) for i in id_list])
    916925    db.db.commit()
    917926
     
    920929def method_set_order(ordered_obj, self, id_list):
    921930    cursor = db.db.cursor()
    922931    # Example: "UPDATE poll_choices SET _order = %s WHERE poll_id = %s AND id = %s"
    923     sql = "UPDATE %s SET _order = %%s WHERE %s = %%s AND %s = %%s" % (ordered_obj.db_table, ordered_obj.order_with_respect_to.name, ordered_obj.pk.name)
     932    sql = "UPDATE %s SET _order = %%s WHERE %s = %%s AND %s = %%s" % (db.quote_name(ordered_obj.db_table),
     933        db.quote_name(ordered_obj.order_with_respect_to.name), db.quote_name(ordered_obj.pk.name))
    924934    rel_val = getattr(self, ordered_obj.order_with_respect_to.rel.field_name)
    925935    cursor.executemany(sql, [(i, rel_val, j) for i, j in enumerate(id_list)])
    926936    db.db.commit()
     
    928938def method_get_order(ordered_obj, self):
    929939    cursor = db.db.cursor()
    930940    # Example: "SELECT id FROM poll_choices WHERE poll_id = %s ORDER BY _order"
    931     sql = "SELECT %s FROM %s WHERE %s = %%s ORDER BY _order" % (ordered_obj.pk.name, ordered_obj.db_table, ordered_obj.order_with_respect_to.name)
     941    sql = "SELECT %s FROM %s WHERE %s = %%s ORDER BY _order" % (db.quote_name(ordered_obj.pk.name),
     942        db.quote_name(ordered_obj.db_table), db.quote_name(ordered_obj.order_with_respect_to.name))
    932943    rel_val = getattr(self, ordered_obj.order_with_respect_to.rel.field_name)
    933944    cursor.execute(sql, [rel_val])
    934945    return [r[0] for r in cursor.fetchall()]
     
    936947# DATE-RELATED METHODS #####################
    937948
    938949def method_get_next_or_previous(get_object_func, field, is_next, self, **kwargs):
    939     kwargs.setdefault('where', []).append('%s %s %%s' % (field.name, (is_next and '>' or '<')))
     950    kwargs.setdefault('where', []).append('%s %s %%s' % (db.quote_name(field.name), (is_next and '>' or '<')))
    940951    kwargs.setdefault('params', []).append(str(getattr(self, field.name)))
    941952    kwargs['order_by'] = [(not is_next and '-' or '') + field.name]
    942953    kwargs['limit'] = 1
     
    10161027    return settings.ABSOLUTE_URL_OVERRIDES.get('%s.%s' % (opts.app_label, opts.module_name), func)(self)
    10171028
    10181029def _get_where_clause(lookup_type, table_prefix, field_name, value):
     1030    if table_prefix.endswith('.'):
     1031        table_prefix = db.quote_name(table_prefix[:-1])+'.'
    10191032    try:
    1020         return '%s%s %s %%s' % (table_prefix, field_name, db.OPERATOR_MAPPING[lookup_type])
     1033        return '%s%s %s %%s' % (table_prefix, db.quote_name(field_name), db.OPERATOR_MAPPING[lookup_type])
    10211034    except KeyError:
    10221035        pass
    10231036    if lookup_type == 'in':
    1024         return '%s%s IN (%s)' % (table_prefix, field_name, ','.join(['%s' for v in value]))
     1037        return '%s%s IN (%s)' % (table_prefix, db.quote_name(field_name), ','.join(['%s' for v in value]))
    10251038    elif lookup_type in ('range', 'year'):
    1026         return '%s%s BETWEEN %%s AND %%s' % (table_prefix, field_name)
     1039        return '%s%s BETWEEN %%s AND %%s' % (table_prefix, db.quote_name(field_name))
    10271040    elif lookup_type in ('month', 'day'):
    1028         return "%s = %%s" % db.get_date_extract_sql(lookup_type, table_prefix + field_name)
     1041        return "%s = %%s" % db.get_date_extract_sql(lookup_type, table_prefix + db.quote_name(field_name))
    10291042    elif lookup_type == 'isnull':
    1030         return "%s%s IS %sNULL" % (table_prefix, field_name, (not value and 'NOT ' or ''))
     1043        return "%s%s IS %sNULL" % (table_prefix, db.quote_name(field_name), (not value and 'NOT ' or ''))
    10311044    raise TypeError, "Got invalid lookup_type: %s" % repr(lookup_type)
    10321045
    10331046def function_get_object(opts, klass, does_not_exist_exception, **kwargs):
     
    10921105        if f.rel and not f.null:
    10931106            db_table = f.rel.to.db_table
    10941107            if db_table not in cache_tables_seen:
    1095                 tables.append(db_table)
     1108                tables.append(db.quote_name(db_table))
    10961109            else: # The table was already seen, so give it a table alias.
    10971110                new_prefix = '%s%s' % (db_table, len(cache_tables_seen))
    1098                 tables.append('%s %s' % (db_table, new_prefix))
     1111                tables.append('%s %s' % (db.quote_name(db_table), db.quote_name(new_prefix)))
    10991112                db_table = new_prefix
    11001113            cache_tables_seen.append(db_table)
    1101             where.append('%s.%s = %s.%s' % (old_prefix, f.name, db_table, f.rel.field_name))
    1102             select.extend(['%s.%s' % (db_table, f2.name) for f2 in f.rel.to.fields])
     1114            where.append('%s.%s = %s.%s' % (db.quote_name(old_prefix), db.quote_name(f.name), db.quote_name(db_table), db.quote_name(f.rel.field_name)))
     1115            select.extend(['%s.%s' % (db.quote_name(db_table), db.quote_name(f2.name)) for f2 in f.rel.to.fields])
    11031116            _fill_table_cache(f.rel.to, select, tables, where, db_table, cache_tables_seen)
    11041117
    11051118def _throw_bad_kwarg_error(kwarg):
     
    11571170                    if f.name == current:
    11581171                        rel_table_alias = 't%s' % table_count
    11591172                        table_count += 1
    1160                         tables.append('%s %s' % (f.get_m2m_db_table(current_opts), rel_table_alias))
    1161                         join_where.append('%s.%s = %s.%s_id' % (current_table_alias, current_opts.pk.name,
    1162                             rel_table_alias, current_opts.object_name.lower()))
     1173                        tables.append('%s %s' % (db.quote_name(f.get_m2m_db_table(current_opts)), db.quote_name(rel_table_alias)))
     1174                        join_where.append('%s.%s = %s.%s' % (db.quote_name(current_table_alias), db.quote_name(current_opts.pk.name),
     1175                            db.quote_name(rel_table_alias), db.quote_name(current_opts.object_name.lower() + "_id")))
    11631176                        # Optimization: In the case of primary-key lookups, we
    11641177                        # don't have to do an extra join.
    11651178                        if lookup_list and lookup_list[0] == f.rel.to.pk.name and lookup_type == 'exact':
     
    11701183                            param_required = False
    11711184                        else:
    11721185                            new_table_alias = 't%s' % table_count
    1173                             tables.append('%s %s' % (f.rel.to.db_table, new_table_alias))
    1174                             join_where.append('%s.%s_id = %s.%s' % (rel_table_alias, f.rel.to.object_name.lower(),
    1175                                 new_table_alias, f.rel.to.pk.name))
     1186                            tables.append('%s %s' % (db.quote_name(f.rel.to.db_table), db.quote_name(new_table_alias)))
     1187                            join_where.append('%s.%s = %s.%s' % (db.quote_name(rel_table_alias), db.quote_name(f.rel.to.object_name.lower() + "_id"),
     1188                                db.quote_name(new_table_alias), db.quote_name(f.rel.to.pk.name)))
    11761189                            current_table_alias = new_table_alias
    11771190                            param_required = True
    11781191                        current_opts = f.rel.to
     
    11891202                            param_required = False
    11901203                        else:
    11911204                            new_table_alias = 't%s' % table_count
    1192                             tables.append('%s %s' % (f.rel.to.db_table, new_table_alias))
    1193                             join_where.append('%s.%s = %s.%s' % (current_table_alias, f.name, new_table_alias, f.rel.to.pk.name))
     1205                            tables.append('%s %s' % (db.quote_name(f.rel.to.db_table), db.quote_name(new_table_alias)))
     1206                            join_where.append('%s.%s = %s.%s' % (db.quote_name(current_table_alias), db.quote_name(f.name),
     1207                                db.quote_name(new_table_alias), db.quote_name(f.rel.to.pk.name)))
    11941208                            current_table_alias = new_table_alias
    11951209                            param_required = True
    11961210                        current_opts = f.rel.to
     
    12091223    return tables, join_where, where, params, table_count
    12101224
    12111225def function_get_sql_clause(opts, **kwargs):
    1212     select = ["%s.%s" % (opts.db_table, f.name) for f in opts.fields]
     1226    select = ["%s.%s" % (db.quote_name(opts.db_table), db.quote_name(f.name)) for f in opts.fields]
    12131227    tables = [opts.db_table] + (kwargs.get('tables') and kwargs['tables'][:] or [])
    12141228    where = kwargs.get('where') and kwargs['where'][:] or []
    12151229    params = kwargs.get('params') and kwargs['params'][:] or []
     
    12291243
    12301244    # Add any additional SELECTs passed in via kwargs.
    12311245    if kwargs.get('select', False):
    1232         select.extend(['(%s) AS %s' % (s[1], s[0]) for s in kwargs['select']])
     1246        select.extend(['(%s) AS %s' % (db.quote_name(s[1]), db.quote_name(s[0])) for s in kwargs['select']])
    12331247
    12341248    # ORDER BY clause
    12351249    order_by = []
     
    12401254            # Use the database table as a column prefix if it wasn't given,
    12411255            # and if the requested column isn't a custom SELECT.
    12421256            if "." not in f and f not in [k[0] for k in kwargs.get('select', [])]:
    1243                 table_prefix = opts.db_table + '.'
     1257                table_prefix = db.quote_name(opts.db_table) + '.'
    12441258            else:
    12451259                table_prefix = ''
    12461260            if f.startswith('-'):
    1247                 order_by.append('%s%s DESC' % (table_prefix, f[1:]))
     1261                order_by.append('%s%s DESC' % (table_prefix, db.quote_name(f[1:])))
    12481262            else:
    1249                 order_by.append('%s%s ASC' % (table_prefix, f))
     1263                order_by.append('%s%s ASC' % (table_prefix, db.quote_name(f)))
    12501264    order_by = ", ".join(order_by)
    12511265
    12521266    # LIMIT and OFFSET clauses
     
    12621276def function_get_in_bulk(opts, klass, *args, **kwargs):
    12631277    id_list = args and args[0] or kwargs['id_list']
    12641278    assert id_list != [], "get_in_bulk() cannot be passed an empty list."
    1265     kwargs['where'] = ["%s.id IN (%s)" % (opts.db_table, ",".join(map(str, id_list)))]
     1279    kwargs['where'] = ["%s.%s IN (%s)" % (db.quote_name(opts.db_table), db.quote_name("id"), ",".join(map(str, id_list)))]
    12661280    obj_list = function_get_list(opts, klass, **kwargs)
    12671281    return dict([(o.id, o) for o in obj_list])
    12681282
     
    12821296    assert order in ('ASC', 'DESC'), "'order' must be either 'ASC' or 'DESC'"
    12831297    kwargs['order_by'] = [] # Clear this because it'll mess things up otherwise.
    12841298    if field.null:
    1285         kwargs.setdefault('where', []).append('%s.%s IS NOT NULL' % (opts.db_table, field.name))
     1299        kwargs.setdefault('where', []).append('%s.%s IS NOT NULL' % (db.quote_name(opts.db_table), db.quote_name(field.name)))
    12861300    select, sql, params = function_get_sql_clause(opts, **kwargs)
    1287     sql = 'SELECT %s %s GROUP BY 1 ORDER BY 1' % (db.get_date_trunc_sql(kind, '%s.%s' % (opts.db_table, field.name)), sql)
     1301    sql = 'SELECT %s %s GROUP BY 1 ORDER BY 1' % (db.get_date_trunc_sql(kind, '%s.%s' % (db.quote_name(opts.db_table), db.quote_name(field.name))), sql)
    12881302    cursor = db.db.cursor()
    12891303    cursor.execute(sql, params)
    12901304    # We have to manually run typecast_timestamp(str()) on the results, because
Back to Top