Opened 19 years ago
Last modified 18 years ago
#305 closed defect
sql code was not white space safe? — at Version 2
| Reported by: | Owned by: | Adrian Holovaty | |
|---|---|---|---|
| Component: | Database layer (models, ORM) | Version: | 1.0 |
| Severity: | normal | Keywords: | quoting strings for 'get_object(<field>__exact = ...)' |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Using the postgresql backend I have a model which has "albums" which only has two fields. The important field is:
meta.CharField('name', maxlength = 512)
so I create the model fun. Now in python code I do the following:
album = albums.get_object(name__exact = album_name)
Where album was the string "Dungeon Keeper 2"
This died with the error:
File "/usr/local/lib/python2.4/site-packages/django/utils/functional.py", line 3, in _curried
return args[0](*(args[1:]+moreargs), **dict(kwargs.items() + morekwargs.items()))
File "/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py", line 1013, in function_get_object
obj_list = function_get_list(opts, klass, **kwargs)
File "/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py", line 1053, in function_get_list
return list(function_get_iterator(opts, klass, **kwargs))
File "/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py", line 1036, in function_get_iterator
cursor.execute("SELECT " + (kwargs.get('distinct') and "DISTINCT " or "") + ",".join(select) + sql, params)
File "/usr/local/lib/python2.4/site-packages/django/core/db/base.py", line 10, in execute
result = self.cursor.execute(sql, params)
psycopg.ProgrammingError: ERROR: syntax error at or near "Keeper" at character 123
SELECT music_albums.id,music_albums.name,music_albums.simplified_name FROM music_albums WHERE music_albums.name = Dungeon Keeper 2
Now if I modified my call to be:
album = albums.get_object(name__exact = "'%s'" % album_name)
it works. (Note the " ' %s ' ") thus quoting the string. I would have thought it would do sql safe quoting of my strings for me?
Note:
See TracTickets
for help on using tickets.
There's got to be something else going on here -- spaces in strings don't cause any problems (see http://www.djangoproject.com/documentation/models/lookup/#sample-usage which is one of our tests). Can you attach your entire model to this ticket so we can take a look?