#3041 closed defect (invalid)
Bug with LIKE raw SQL in CursorDebugWrapper
Reported by: | yopi | Owned by: | Adrian Holovaty |
---|---|---|---|
Component: | Database layer (models, ORM) | Version: | |
Severity: | normal | Keywords: | |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
Using SQL statement including the % operator (in query such as:
SELECT count(*), avg(b) FROM t1 WHERE c LIKE '%%%s%%'" %num_string)
the CursorDebugWrapper fails (/db/backends/util.py +19)
with error:
"not enough arguments for format string"
as the operator is not properly escaped.
Turning off the DEBUG variable bypass this debug.
Change History (4)
comment:1 by , 18 years ago
comment:2 by , 18 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Yes, it will fail because the string which the cursor receives is runs through string substitution of any given parameters. So either quad-quote your percents or pass it in as a parameter like you should be:
cursor.execute("SELECT count(*), avg(b) FROM t1 WHERE c LIKE %s", ('%%%s%%'" % num_string,))
comment:4 by , 15 years ago
Cc: | removed |
---|
Can you please append the full backtrace?