Opened 18 years ago

Closed 18 years ago

Last modified 15 years ago

#3041 closed defect (invalid)

Bug with LIKE raw SQL in CursorDebugWrapper

Reported by: yopi Owned by: Adrian Holovaty
Component: Database layer (models, ORM) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Using SQL statement including the % operator (in query such as:
SELECT count(*), avg(b) FROM t1 WHERE c LIKE '%%%s%%'" %num_string)

the CursorDebugWrapper fails (/db/backends/util.py +19)
with error:
"not enough arguments for format string"
as the operator is not properly escaped.

Turning off the DEBUG variable bypass this debug.

Change History (4)

comment:1 by mir@…, 18 years ago

Can you please append the full backtrace?

comment:2 by Chris Beaven, 18 years ago

Resolution: invalid
Status: newclosed

Yes, it will fail because the string which the cursor receives is runs through string substitution of any given parameters. So either quad-quote your percents or pass it in as a parameter like you should be:

cursor.execute("SELECT count(*), avg(b) FROM t1 WHERE c LIKE %s", ('%%%s%%'" % num_string,))

comment:3 by Thomas Güttler, 16 years ago

Cc: hv@… added

Reopened as #9055

comment:4 by Thomas Güttler, 15 years ago

Cc: hv@… removed
Note: See TracTickets for help on using tickets.
Back to Top