Code

Ticket #470: 470-2.patch

File 470-2.patch, 2.7 KB (added by jws, 8 years ago)

Second rev, with addition of escaping function

  • django/core/db/backends/postgresql.py

     
    5353        if name.startswith('"') and name.endswith('"'): 
    5454            return name # Quoting once is enough. 
    5555        return '"%s"' % name 
     56 
     57    def escapechars(self,rawstring): 
     58        "Escapes dangerous characters from SQL in a backend-specific way" 
     59        # important to process backslashes first, otherwise characters are substituted twice! 
     60        cookedstring = rawstring.replace('\\','\\\\') 
     61        cookedstring = rawstring.replace("'","''") 
     62        cookedstring = rawstring.replace('"','\"') 
     63        cookedstring = rawstring.replace('*','\*') 
     64        cookedstring = rawstring.replace('_','\_') 
     65        cookedstring = rawstring.replace(';','\;') 
     66        return cookedstring 
    5667 
    5768def dictfetchone(cursor): 
    5869    "Returns a row from the cursor as a dict" 
  • django/core/db/backends/sqlite3.py

     
    5555            self.connection.close() 
    5656            self.connection = None 
    5757 
     58    def escapechars(self,rawstring): 
     59        "Escapes dangerous characters from SQL in a backend-specific way" 
     60        # sqlite will happily accept a variety of characters without complaint. Single-quotes, however, must be doubled. 
     61        cookedstring = rawstring.replace("'","''") 
     62        return cookedstring 
     63 
    5864    def quote_name(self, name): 
    5965        if name.startswith('"') and name.endswith('"'): 
    6066            return name # Quoting once is enough. 
  • django/core/management.py

     
    8181                    field_output.append('REFERENCES %s (%s)' % \ 
    8282                        (db.db.quote_name(f.rel.to.db_table), 
    8383                        db.db.quote_name(f.rel.to.get_field(f.rel.field_name).column))) 
     84                if f.default <> meta.fields.NOT_PROVIDED: 
     85                    try: 
     86                        escaped_string = db.db.escapechars("DEFAULT '%s'" % (f.default,)) 
     87                        field_output.append(escaped_string) 
     88                    except NotImplemented: 
     89                        pass 
    8490                table_output.append(' '.join(field_output)) 
    8591        if opts.order_with_respect_to: 
    8692            table_output.append('%s %s NULL' % (db.db.quote_name('_order'), db.DATA_TYPES['IntegerField']))