Opened 12 years ago

Closed 11 years ago

Last modified 8 years ago

#3041 closed defect (invalid)

Bug with LIKE raw SQL in CursorDebugWrapper

Reported by: yopi Owned by: Adrian Holovaty
Component: Database layer (models, ORM) Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:


Using SQL statement including the % operator (in query such as:
SELECT count(*), avg(b) FROM t1 WHERE c LIKE '%%%s%%'" %num_string)

the CursorDebugWrapper fails (/db/backends/ +19)
with error:
"not enough arguments for format string"
as the operator is not properly escaped.

Turning off the DEBUG variable bypass this debug.

Change History (4)

comment:1 Changed 11 years ago by mir@…

Can you please append the full backtrace?

comment:2 Changed 11 years ago by Chris Beaven

Resolution: invalid
Status: newclosed

Yes, it will fail because the string which the cursor receives is runs through string substitution of any given parameters. So either quad-quote your percents or pass it in as a parameter like you should be:

cursor.execute("SELECT count(*), avg(b) FROM t1 WHERE c LIKE %s", ('%%%s%%'" % num_string,))

comment:3 Changed 10 years ago by Thomas Güttler

Cc: hv@… added

Reopened as #9055

comment:4 Changed 8 years ago by Thomas Güttler

Cc: hv@… removed
Note: See TracTickets for help on using tickets.
Back to Top