Opened 19 years ago

Last modified 18 years ago

#305 closed defect

sql code was not white space safe? — at Version 2

Reported by: scanner@… Owned by: Adrian Holovaty
Component: Database layer (models, ORM) Version: 1.0
Severity: normal Keywords: quoting strings for 'get_object(<field>__exact = ...)'
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Adrian Holovaty)

Using the postgresql backend I have a model which has "albums" which only has two fields. The important field is:

meta.CharField('name', maxlength = 512)

so I create the model fun. Now in python code I do the following:

album = albums.get_object(name__exact = album_name)

Where album was the string "Dungeon Keeper 2"

This died with the error:

  File "/usr/local/lib/python2.4/site-packages/django/utils/functional.py", line 3, in _curried
    return args[0](*(args[1:]+moreargs), **dict(kwargs.items() + morekwargs.items()))
  File "/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py", line 1013, in function_get_object
    obj_list = function_get_list(opts, klass, **kwargs)
  File "/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py", line 1053, in function_get_list
    return list(function_get_iterator(opts, klass, **kwargs))
  File "/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py", line 1036, in function_get_iterator
    cursor.execute("SELECT " + (kwargs.get('distinct') and "DISTINCT " or "") + ",".join(select) + sql, params)
  File "/usr/local/lib/python2.4/site-packages/django/core/db/base.py", line 10, in execute
    result = self.cursor.execute(sql, params)
psycopg.ProgrammingError: ERROR:  syntax error at or near "Keeper" at character 123

SELECT music_albums.id,music_albums.name,music_albums.simplified_name FROM music_albums WHERE music_albums.name = Dungeon Keeper 2

Now if I modified my call to be:

album = albums.get_object(name__exact = "'%s'" % album_name)

it works. (Note the " ' %s ' ") thus quoting the string. I would have thought it would do sql safe quoting of my strings for me?

Change History (2)

comment:1 by Jacob, 19 years ago

There's got to be something else going on here -- spaces in strings don't cause any problems (see http://www.djangoproject.com/documentation/models/lookup/#sample-usage which is one of our tests). Can you attach your entire model to this ticket so we can take a look?

comment:2 by Adrian Holovaty, 19 years ago

Description: modified (diff)

(Changed formatting in description)

Note: See TracTickets for help on using tickets.
Back to Top