id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
1474	Unsafe SQL queries may lead to injection or other problems	wsobczuk@…	Adrian Holovaty	"Instead of doing this:

{{{
        cursor.execute(""INSERT INTO %s (%s) VALUES (%s)"" % \
            (db.db.quote_name(opts.db_table), ','.join(field_names),
            ','.join(placeholders)), db_values)
}}}

one should do: cursor.execute('INSERT INTO ... VALUES (%s, %s, %d, etc.)', (arg1, arg2, arg3)).

The way it is done in Django causes problems with certain content. Why not let the dbapi handle the interpolation?"	defect	closed	Database layer (models, ORM)		normal	invalid			Unreviewed	0	0	0	0	0	0