#3041 closed defect (invalid)
Bug with LIKE raw SQL in CursorDebugWrapper
| Reported by: | yopi | Owned by: | Adrian Holovaty |
|---|---|---|---|
| Component: | Database layer (models, ORM) | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | no | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Using SQL statement including the % operator (in query such as:
SELECT count(*), avg(b) FROM t1 WHERE c LIKE '%%%s%%'" %num_string)
the CursorDebugWrapper fails (/db/backends/util.py +19)
with error:
"not enough arguments for format string"
as the operator is not properly escaped.
Turning off the DEBUG variable bypass this debug.
Change History (4)
comment:1 by , 18 years ago
comment:2 by , 17 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
Yes, it will fail because the string which the cursor receives is runs through string substitution of any given parameters. So either quad-quote your percents or pass it in as a parameter like you should be:
cursor.execute("SELECT count(*), avg(b) FROM t1 WHERE c LIKE %s", ('%%%s%%'" % num_string,))
comment:4 by , 15 years ago
| Cc: | removed |
|---|
Note:
See TracTickets
for help on using tickets.
Can you please append the full backtrace?