Ticket #470: 470-2.patch

File 470-2.patch, 2.7 KB (added by jws, 10 years ago)

Second rev, with addition of escaping function

  • django/core/db/backends/postgresql.py

     
    5353        if name.startswith('"') and name.endswith('"'):
    5454            return name # Quoting once is enough.
    5555        return '"%s"' % name
     56
     57    def escapechars(self,rawstring):
     58        "Escapes dangerous characters from SQL in a backend-specific way"
     59        # important to process backslashes first, otherwise characters are substituted twice!
     60        cookedstring = rawstring.replace('\\','\\\\')
     61        cookedstring = rawstring.replace("'","''")
     62        cookedstring = rawstring.replace('"','\"')
     63        cookedstring = rawstring.replace('*','\*')
     64        cookedstring = rawstring.replace('_','\_')
     65        cookedstring = rawstring.replace(';','\;')
     66        return cookedstring
    5667
    5768def dictfetchone(cursor):
    5869    "Returns a row from the cursor as a dict"
  • django/core/db/backends/sqlite3.py

     
    5555            self.connection.close()
    5656            self.connection = None
    5757
     58    def escapechars(self,rawstring):
     59        "Escapes dangerous characters from SQL in a backend-specific way"
     60        # sqlite will happily accept a variety of characters without complaint. Single-quotes, however, must be doubled.
     61        cookedstring = rawstring.replace("'","''")
     62        return cookedstring
     63
    5864    def quote_name(self, name):
    5965        if name.startswith('"') and name.endswith('"'):
    6066            return name # Quoting once is enough.
  • django/core/management.py

     
    8181                    field_output.append('REFERENCES %s (%s)' % \
    8282                        (db.db.quote_name(f.rel.to.db_table),
    8383                        db.db.quote_name(f.rel.to.get_field(f.rel.field_name).column)))
     84                if f.default <> meta.fields.NOT_PROVIDED:
     85                    try:
     86                        escaped_string = db.db.escapechars("DEFAULT '%s'" % (f.default,))
     87                        field_output.append(escaped_string)
     88                    except NotImplemented:
     89                        pass
    8490                table_output.append(' '.join(field_output))
    8591        if opts.order_with_respect_to:
    8692            table_output.append('%s %s NULL' % (db.db.quote_name('_order'), db.DATA_TYPES['IntegerField']))
Back to Top