id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 305 sql code was not white space safe? scanner@… Adrian Holovaty "Using the postgresql backend I have a model which has ""albums"" which only has two fields. The important field is: meta.CharField('name', maxlength = 512) so I create the model fun. Now in python code I do the following: album = albums.get_object(name__exact = album_name) Where album was the string ""Dungeon Keeper 2"" This died with the error: File ""/usr/local/lib/python2.4/site-packages/django/utils/functional.py"", line 3, in _curried return args[0](*(args[1:]+moreargs), **dict(kwargs.items() + morekwargs.items())) File ""/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py"", line 1013, in function_get_object obj_list = function_get_list(opts, klass, **kwargs) File ""/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py"", line 1053, in function_get_list return list(function_get_iterator(opts, klass, **kwargs)) File ""/usr/local/lib/python2.4/site-packages/django/core/meta/__init__.py"", line 1036, in function_get_iterator cursor.execute(""SELECT "" + (kwargs.get('distinct') and ""DISTINCT "" or """") + "","".join(select) + sql, params) File ""/usr/local/lib/python2.4/site-packages/django/core/db/base.py"", line 10, in execute result = self.cursor.execute(sql, params) psycopg.ProgrammingError: ERROR: syntax error at or near ""Keeper"" at character 123 SELECT music_albums.id,music_albums.name,music_albums.simplified_name FROM music_albums WHERE music_albums.name = Dungeon Keeper 2 Now if I modified my call to be: album = albums.get_object(name__exact = ""'%s'"" % album_name) it works. (Note the "" ' %s ' "") thus quoting the string. I would have thought it would do sql safe quoting of my strings for me? " defect new Database layer (models, ORM) 1.0 normal quoting strings for 'get_object(__exact = ...)' Unreviewed 0 0 0 0 0 0