Opened 7 years ago

Last modified 3 years ago

#6343 new Bug

% symbols not escaped in db_column column names when preparing queries

Reported by: Daniel Pope <dan@…> Owned by: nobody
Component: Database layer (models, ORM) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Using % in database column names (specified using db_column) causes the database wrapper to fail when preparing queries.

This is because the % symbol is not properly quoted (as %%), and conflicts with the usage of %s for passing parameters to queries.

I am attaching a patch for the MySQL backend where I encountered the issue; I'm not sure if other backends exhibit this bug because it presumably depends both on whether the database's native capability to support % characters in column names, and on the Python DB-API paramstyle.

Attachments (1)

percent_column_names.diff (514 bytes) - added by Daniel Pope <dan@…> 7 years ago.
Patch for MySQL backend

Download all attachments as: .zip

Change History (7)

Changed 7 years ago by Daniel Pope <dan@…>

Patch for MySQL backend

comment:1 Changed 7 years ago by Simon Greenhill <dev@…>

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Triage Stage changed from Unreviewed to Design decision needed

You can use % in db column names? I really think that's a bad bad idea to start with, but I'll put this as Design Dec. Needed just in case.

comment:2 Changed 4 years ago by julien

  • Severity set to Normal
  • Type set to Bug

Guessing from the report, I take it this is a bug, but I'm not sure if it is still a valid one though...

comment:3 Changed 4 years ago by julien

  • Needs tests set

comment:4 Changed 4 years ago by julien

See #11391 for a potentially related issue.

comment:5 Changed 4 years ago by julien

See some other issues relating to the use of the % character and escaping: #3485, #12268, #11391, #13648. Perhaps some of these could be tackled at the same time.

comment:6 Changed 3 years ago by carljm

  • Easy pickings unset
  • Triage Stage changed from Design decision needed to Accepted
  • UI/UX unset

This either needs to be fixed, or if that's not technically feasible in a sane way, documented.

#11391 closed as duplicate of this, also raises the issue that this can happen with field names, not just table names. That should also be addressed.

Note: See TracTickets for help on using tickets.
Back to Top