Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#1454 closed defect (fixed)

[patch] DB API quotes some SQL clauses that are not words and shouldn't be quoted

Reported by: dja@… Owned by: Adrian Holovaty
Component: Database layer (models, ORM) Version: 0.91
Severity: normal Keywords: yut
Cc: tytyty Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


The DB API produces incorrect SQL code with get_list() and related functions if I pass it a "select" parameter that is not a word (identifier), but doesn't have spaces in it. It quotes the parameter when it shouldn't. For example:

  wordlist = words.get_list(select = { 'wordlen' : 'length(word)' })

This will produce, in part, " SELECT [...] ("length(word)") AS "wordlen" [...] "

This patch is against v0.91. On the magic-removal branch, it looks like quote_only_if_word() in django/db/models/ has the same issue.

--- django/core/meta/__init__.py_0_91   2006-03-02 10:05:32.275065000 -0800
+++ django/core/meta/        2006-03-02 10:07:04.622115000 -0800
@@ -1585,7 +1585,7 @@

 def function_get_sql_clause(opts, **kwargs):
     def quote_only_if_word(word):
-        if ' ' in word:
+        if'\W', word):
             return word
             return db.db.quote_name(word)

Change History (3)

comment:1 Changed 14 years ago by anonymous

Component: Admin interfaceDatabase wrapper

comment:2 Changed 14 years ago by Adrian Holovaty

Resolution: fixed
Status: newclosed

(In [3044]) Fixed #1454 -- Improved DB API quote_only_if_word() so that it doesn't quote 'select' parameters that are not all word characters. Thanks, dja@…

comment:3 Changed 13 years ago by anonymous

Cc: tytyty added
Keywords: yut added
Note: See TracTickets for help on using tickets.
Back to Top