Ticket #967: safe_quoted_tables.diff

File safe_quoted_tables.diff, 1.6 KB (added by freakboy@…, 10 years ago)

Patch for safe quoting of table names in db queries

  • django/core/meta/__init__.py

     
    15801580    return tables, join_where, where, params, table_count
    15811581
    15821582def function_get_sql_clause(opts, **kwargs):
     1583    def quote_only_if_word(word):
     1584        """
     1585        Helper function used to protect user-provided names that might be
     1586        subselects in their own right
     1587        """
     1588        if word.find(' ')>=0:
     1589            return word
     1590        else:
     1591            return db.db.quote_name(word)
     1592
     1593    # Construct the fundamental parts of the query: SELECT X FROM Y WHERE Z
    15831594    select = ["%s.%s" % (db.db.quote_name(opts.db_table), db.db.quote_name(f.column)) for f in opts.fields]
    15841595    tables = [opts.db_table] + (kwargs.get('tables') and kwargs['tables'][:] or [])
    1585     tables = [db.db.quote_name(t) for t in tables]
     1596    tables = [quote_only_if_word(t) for t in tables]
    15861597    where = kwargs.get('where') and kwargs['where'][:] or []
    15871598    params = kwargs.get('params') and kwargs['params'][:] or []
    15881599
     
    16001611        _fill_table_cache(opts, select, tables, where, opts.db_table, [opts.db_table])
    16011612
    16021613    # Add any additional SELECTs passed in via kwargs.
    1603     def quote_only_if_word(word):
    1604         if word.find(' ')>=0:
    1605             return word
    1606         else:
    1607             return db.db.quote_name(word)
    16081614    if kwargs.get('select'):
    16091615        select.extend(['(%s) AS %s' % (quote_only_if_word(s[1]), db.db.quote_name(s[0])) for s in kwargs['select']])
    16101616
Back to Top