id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
12923	Base last_executed_query() does not escape parameters	Pablo Brasero	Pablo Brasero	"The base implementation of `last_executed_query()` does not escape its parameters. For example, a query like the following is returned:
{{{
u'SELECT * FROM things WHERE name = unscaped""stuff'
}}}
When it should be something along the lines of:
{{{
u'SELECT * FROM things WHERE name = ""unscaped\""stuff""'
}}}
Nevertheless, it can be argued that `BaseDatabaseOperations` does not make assumptions as to what quoting scheme each different database prefers. In this case, then the problem is that the MySQL backend (and probably all others except `postgresql_psycopg2`) suffer this problem, by not implementing their own versions of `last_executed_query()`.

A specific third-party piece of software that is affected by this problem is ''django-devserver''. This raises an exception in my computer when it tries to display recently executed SQL statements that contain characters such as quotes, as it relies on `last_executed_query()` to do so.

I'm attaching a patch for 1.2-beta, although 1.1 is affected too. It implements a MySQL-specific solution in the appropriate backend."	Bug	closed	Database layer (models, ORM)	1.2-beta	Normal	worksforme	last_executed_query escaping		Accepted	1	0	1	0	0	0