Ticket #14091: 14091.3.patch

AUTHORS

@@ -60 +60 @@
     atlithorn <atlithorn@gmail.com>
     Jökull Sólberg Auðunsson <jokullsolberg@gmail.com>
     Arthur <avandorp@gmail.com>
+    Aymeric Augustin <aymeric.augustin@m4x.org>
     av0000@mail.ru
     David Avsajanishvili <avsd05@gmail.com>
     Mike Axiak <axiak@mit.edu>

docs/faq/models.txt

@@ -22 +22 @@
 
 ``connection.queries`` includes all SQL statements -- INSERTs, UPDATES,
 SELECTs, etc. Each time your app hits the database, the query will be recorded.
-Note that the raw SQL logged in ``connection.queries`` may not include
-parameter quoting.  Parameter quoting is performed by the database-specific
-backend, and not all backends provide a way to retrieve the SQL after quoting.
+Note that the raw SQL is :ref:`unreliable with SQLite <sqlite-connection-queries>`.
 
 .. versionadded:: 1.2
 

docs/ref/databases.txt

@@ -465 +465 @@
 binary distribution, if needed.
 
 "Database is locked" errors
------------------------------------------------
+---------------------------
 
 SQLite is meant to be a lightweight database, and thus can't support a high
 level of concurrency. ``OperationalError: database is locked`` errors indicate
@@ -506 +506 @@
 SQLite does not support the ``SELECT ... FOR UPDATE`` syntax. Calling it will
 have no effect.
 
+.. _sqlite-connection-queries:
+
+Parameters not quoted in ``connection.queries``
+-----------------------------------------------
+
+``sqlite3`` does not provide a way to retrieve the SQL after quoting and
+substituting the parameters. Instead, the SQL in ``connection.queries`` is
+rebuilt with a simple string interpolation. It may be incorrect. Make sure
+you add quotes where necessary before copying a query into a SQLite shell.
+
 .. _oracle-notes:
 
 Oracle notes

django/db/backends/mysql/base.py

@@ -191 +191 @@
     def fulltext_search_sql(self, field_name):
         return 'MATCH (%s) AGAINST (%%s IN BOOLEAN MODE)' % field_name
 
+    def last_executed_query(self, cursor, sql, params):
+        # With MySQLdb, cursor objects have an (undocumented) "_last_executed"
+        # attribute where the exact query sent to the database is saved.
+        # See MySQLdb/cursors.py in the source distribution.
+        return cursor._last_executed
+
     def no_limit_value(self):
         # 2**64 - 1, as recommended by the MySQL documentation
         return 18446744073709551615L

django/db/backends/oracle/base.py

@@ -210 +210 @@
         else:
             return "%s"
 
+    def last_executed_query(self, cursor, sql, params):
+        # http://cx-oracle.sourceforge.net/html/cursor.html#Cursor.statement
+        # The DB API definition does not define this attribute.
+        return cursor.statement
+
     def last_insert_id(self, cursor, table_name, pk_name):
         sq_name = self._get_sequence_name(table_name)
         cursor.execute('SELECT "%s".currval FROM dual' % sq_name)

django/db/backends/postgresql_psycopg2/operations.py

@@ -202 +202 @@
         return 63
 
     def last_executed_query(self, cursor, sql, params):
-        # With psycopg2, cursor objects have a "query" attribute that is the
-        # exact query sent to the database. See docs here:
-        # http://www.initd.org/tracker/psycopg/wiki/psycopg2_documentation#postgresql-status-message-and-executed-query
+        # http://initd.org/psycopg/docs/cursor.html#cursor.query
+        # The query attribute is a Psycopg extension to the DB API 2.0.
         return cursor.query
 
     def return_insert_id(self):

tests/regressiontests/backends/tests.py

@@ -2 +2 @@
 # Unit and doctests for specific database backends.
 import datetime
 
+from django.conf import settings
 from django.core.management.color import no_style
 from django.db import backend, connection, connections, DEFAULT_DB_ALIAS, IntegrityError
 from django.db.backends.signals import connection_created
@@ -85 +86 @@
         classes = models.SchoolClass.objects.filter(last_updated__day=20)
         self.assertEqual(len(classes), 1)
 
+class LastExecutedQueryTest(TestCase):
 
+    def setUp(self):
+        # connection.queries will not be filled in without this
+        settings.DEBUG = True
+
+    def tearDown(self):
+        settings.DEBUG = False
+
+    # There are no tests for the sqlite backend because it does not
+    # implement paramater escaping. See #14091.
+
+    @unittest.skipUnless(connection.vendor in ('oracle', 'postgresql'),
+                         "These backends use the standard parameter escaping rules")
+    def test_parameter_escaping(self):
+        # check that both numbers and string are properly quoted
+        list(models.Tag.objects.filter(name="special:\\\"':", object_id=12))
+        sql = connection.queries[-1]['sql']
+        self.assertTrue("= 'special:\\\"'':' " in sql)
+        self.assertTrue("= 12 " in sql)
+
+    @unittest.skipUnless(connection.vendor == 'mysql',
+                         "MySQL uses backslashes to escape parameters.")
+    def test_parameter_escaping(self):
+        list(models.Tag.objects.filter(name="special:\\\"':", object_id=12))
+        sql = connection.queries[-1]['sql']
+        # only this line is different from the test above
+        self.assertTrue("= 'special:\\\\\\\"\\':' " in sql)
+        self.assertTrue("= 12 " in sql)
+
 class ParameterHandlingTest(TestCase):
     def test_bad_parameter_count(self):
         "An executemany call with too many/not enough parameters will raise an exception (Refs #12612)"