Opened 10 years ago
Last modified 10 years ago
#23426 closed Cleanup/optimization
migrations.RunSQL's function signature implies it won't do any parameter substitution — at Initial Version
| Reported by: | ris | Owned by: | nobody |
|---|---|---|---|
| Component: | Migrations | Version: | dev |
| Severity: | Normal | Keywords: | migrations sql runsql params escape |
| Cc: | info+coding@… | Triage Stage: | Accepted |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Bit of an odd one here, and probably comes down to a matter of opinion.
migrations.RunSQL not taking any params= argument seems to imply that it doesn't do any parameter substitution on the supplied SQL, which would mean that "%"s can be used freely in the SQL.
This of course isn't the case and doing
migrations.RunSQL("UPDATE city_table SET description = 'silly' WHERE name ILIKE '%camelot%'")
will screw up because psycopg2 will be confused about the "%"s.
Either RunSQL should accept params= and this should be documented or RunSQL should attempt to nullify this by doing something like .replace ( "%" , "%%" ) to the SQL string.
Note:
See TracTickets
for help on using tickets.