Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#2945 closed defect (duplicate)

DB Api - non-numeric __getitem__ parameter being inserted into LIMIT clause

Reported by: dcramer@… Owned by: adrian
Component: Database layer (models, ORM) Version: master
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description (last modified by ubernostrum)

This seems to happen once, refreshing the view and its gone. It's throwing "count" where the limit (of some sorts) should be.

The query its executing is:
'SELECT files_version.id,files_version.file_id,files_version.md5,files_version.name,files_version.post_date,files_version.archive,files_version.change_log,files_version.author_id,files_version.downloads,files_version.type_id FROM files_version WHERE (files_version.file_id = %s) ORDER BY files_version.post_date DESC LIMIT count,1'

Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/django/core/handlers/base.py" in get_response
  74. response = callback(request, *callback_args, **callback_kwargs)
File "/home/www/cursedjango/cursesite/../cursesite/files/views.py" in detail
  272. return render_to_response('files/detail.html', context_instance=context)
File "/usr/lib/python2.4/site-packages/django/shortcuts/__init__.py" in render_to_response
  10. return HttpResponse(loader.render_to_string(*args, **kwargs))
File "/usr/lib/python2.4/site-packages/django/template/loader.py" in render_to_string
  104. return t.render(context_instance)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render
  155. return self.nodelist.render(context)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render
  688. bits.append(self.render_node(node, context))
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render_node
  701. return(node.render(context))
File "/usr/lib/python2.4/site-packages/django/template/loader_tags.py" in render
  82. return compiled_parent.render(context)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render
  155. return self.nodelist.render(context)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render
  688. bits.append(self.render_node(node, context))
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render_node
  701. return(node.render(context))
File "/usr/lib/python2.4/site-packages/django/template/loader_tags.py" in render
  23. result = self.nodelist.render(context)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render
  688. bits.append(self.render_node(node, context))
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render_node
  701. return(node.render(context))
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in render
  746. output = self.filter_expression.resolve(context)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in resolve
  548. obj = resolve_variable(self.var, context)
File "/usr/lib/python2.4/site-packages/django/template/__init__.py" in resolve_variable
  634. current = current[bits[0]]
File "/usr/lib/python2.4/site-packages/django/db/models/query.py" in __getitem__
  144. return list(self._clone(_offset=k, _limit=1))[0]
File "/usr/lib/python2.4/site-packages/django/db/models/query.py" in __iter__
  103. return iter(self._get_data())
File "/usr/lib/python2.4/site-packages/django/db/models/query.py" in _get_data
  430. self._result_cache = list(self.iterator())
File "/usr/lib/python2.4/site-packages/django/db/models/query.py" in iterator
  172. cursor.execute("SELECT " + (self._distinct and "DISTINCT " or "") + ",".join(select) + sql, params)
File "/usr/lib/python2.4/site-packages/django/db/backends/util.py" in execute
  12. return self.cursor.execute(sql, params)
File "/usr/lib/python2.4/site-packages/django/db/backends/mysql/base.py" in execute
  35. return self.cursor.execute(sql, params)
File "/usr/lib/python2.4/site-packages/MySQLdb/cursors.py" in execute
  137. self.errorhandler(self, exc, value)
File "/usr/lib/python2.4/site-packages/MySQLdb/connections.py" in defaulterrorhandler
  33. raise errorclass, errorvalue

  ProgrammingError at /en/files/details/4647/blackuweather-fishing/
  (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'count,1' at line 1")

Change History (8)

comment:1 Changed 9 years ago by ubernostrum

  • Component changed from Admin interface to Database wrapper
  • priority changed from highest to normal
  • Severity changed from critical to normal

comment:2 Changed 9 years ago by ubernostrum

Could you post the code in your app that's triggering this? Without knowing what calls you were making to the Django DB API functions, it's next to impossible to figure out where this is coming from...

comment:3 Changed 9 years ago by dcramer@…

Didn't think it had anything to do with my view so I didn't post the code, here it is:

def detail(request, file_id):

file = cache.get('file_%s' % file_id)
if not file:

file = get_object_or_404(File, visible=True, pk=file_id)
cache.set('file_%d' % (file.id), file, 60*600)

file_data = cache.get('file_data_%s_%s' % (request.LANGUAGE_CODE, file_id))
if not file_data:

file_data = Data.objects.get(file=file_id, lang=request.LANGUAGE_CODE)
cache.set('file_data_%s_%s' % (request.LANGUAGE_CODE, file_id), file_data, 60*600)

version_list = cache.get('version_list_%s' % file_id)
if not version_list:

version_list = Version.objects.filter(file=file_id).order_by('-post_date')[0:5]
cache.set('version_list_%s' % file_id, version_list, 60*600)

OBJECT = {'app': 'files', 'view': 'file', 'id': file_id}

extra_context = {'file': file, 'version_list': version_list, 'file_data': file_data, 'OBJECT': OBJECT}
context = template.RequestContext(request)
context.update(extra_context)
return render_to_response('files/detail.html', context_instance=context)

comment:4 Changed 9 years ago by adurdin@…

  • Summary changed from DB Api - "count" being inserted to DB Api - non-numeric __getitem__ parameter being inserted into LIMIT clause

A coworker just ran into this same problem, and it appears that QuerySet.getitem is not checking that its parameter is an integer (or at least a numeric string).

We had a template that had had {% for item in dates.items %} where dates had once been a dict but was now a QuerySet, and this triggered the error. It should be quite easy to replicate/track down.

comment:5 Changed 8 years ago by Simon G. <dev@…>

  • Resolution set to worksforme
  • Status changed from new to closed

I'm marking this as worksforme, as I've had a good play with things here and can't seem to replicate it. Regardless of what I throw at getitem, it keeps raising a TypeError ("slice indices must be integers").

@adurdin - can you provide more information on what your coworker did?

comment:6 Changed 8 years ago by ubernostrum

  • Resolution worksforme deleted
  • Status changed from closed to reopened

(reopening because this is a real bug, but going to close again as a dupe of #2351, because the discussion seems to be happening over there)

comment:7 Changed 8 years ago by ubernostrum

  • Resolution set to duplicate
  • Status changed from reopened to closed

comment:8 Changed 8 years ago by ubernostrum

  • Description modified (diff)

Reformatting the traceback to make it easier to read...

Note: See TracTickets for help on using tickets.
Back to Top