Opened 10 years ago
Last modified 10 years ago
#23426 closed Cleanup/optimization
migrations.RunSQL's function signature implies it won't do any parameter substitution — at Version 1
Reported by: | ris | Owned by: | nobody |
---|---|---|---|
Component: | Migrations | Version: | dev |
Severity: | Normal | Keywords: | migrations sql runsql params escape |
Cc: | info+coding@… | Triage Stage: | Accepted |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
Bit of an odd one here, and probably comes down to a matter of opinion.
migrations.RunSQL not taking any params= argument seems to imply that it doesn't do any parameter substitution on the supplied SQL, which would mean that "%"s can be used freely in the SQL.
This of course isn't the case and doing
migrations.RunSQL("UPDATE city_table SET description = 'silly' WHERE name ILIKE '%camelot%'")
will screw up because psycopg2 will be confused about the "%"s.
Either RunSQL should accept params= and this should be documented or RunSQL should attempt to nullify this by doing something like .replace ( "%" , "%%" ) to the SQL string to escape any.
This bug seems awfully petty now that I've submitted it.