Base last_executed_query() does not escape parameters
|Reported by:||Pablo Brasero||Owned by:||Pablo Brasero|
|Component:||Database layer (models, ORM)||Version:||1.2-beta|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
The base implementation of
last_executed_query() does not escape its parameters. For example, a query like the following is returned:
u'SELECT * FROM things WHERE name = unscaped"stuff'
When it should be something along the lines of:
u'SELECT * FROM things WHERE name = "unscaped\"stuff"'
Nevertheless, it can be argued that
BaseDatabaseOperations does not make assumptions as to what quoting scheme each different database prefers. In this case, then the problem is that the MySQL backend (and probably all others except
postgresql_psycopg2) suffer this problem, by not implementing their own versions of
A specific third-party piece of software that is affected by this problem is django-devserver. This raises an exception in my computer when it tries to display recently executed SQL statements that contain characters such as quotes, as it relies on
last_executed_query() to do so.
I'm attaching a patch for 1.2-beta, although 1.1 is affected too. It implements a MySQL-specific solution in the appropriate backend.
Change History (11)
comment:1 Changed 7 years ago by
|Patch needs improvement:||set|
|Triage Stage:||Unreviewed → Accepted|