Opened 9 years ago

Last modified 5 years ago

#6343 new Bug

% symbols not escaped in db_column column names when preparing queries

Reported by: Daniel Pope <dan@…> Owned by: nobody
Component: Database layer (models, ORM) Version: master
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Using % in database column names (specified using db_column) causes the database wrapper to fail when preparing queries.

This is because the % symbol is not properly quoted (as %%), and conflicts with the usage of %s for passing parameters to queries.

I am attaching a patch for the MySQL backend where I encountered the issue; I'm not sure if other backends exhibit this bug because it presumably depends both on whether the database's native capability to support % characters in column names, and on the Python DB-API paramstyle.

Attachments (1)

percent_column_names.diff (514 bytes) - added by Daniel Pope <dan@…> 9 years ago.
Patch for MySQL backend

Download all attachments as: .zip

Change History (7)

Changed 9 years ago by Daniel Pope <dan@…>

Attachment: percent_column_names.diff added

Patch for MySQL backend

comment:1 Changed 9 years ago by Simon Greenhill <dev@…>

Triage Stage: UnreviewedDesign decision needed

You can use % in db column names? I really think that's a bad bad idea to start with, but I'll put this as Design Dec. Needed just in case.

comment:2 Changed 6 years ago by Julien Phalip

Severity: Normal
Type: Bug

Guessing from the report, I take it this is a bug, but I'm not sure if it is still a valid one though...

comment:3 Changed 6 years ago by Julien Phalip

Needs tests: set

comment:4 Changed 6 years ago by Julien Phalip

See #11391 for a potentially related issue.

comment:5 Changed 6 years ago by Julien Phalip

See some other issues relating to the use of the % character and escaping: #3485, #12268, #11391, #13648. Perhaps some of these could be tackled at the same time.

comment:6 Changed 5 years ago by Carl Meyer

Easy pickings: unset
Triage Stage: Design decision neededAccepted
UI/UX: unset

This either needs to be fixed, or if that's not technically feasible in a sane way, documented.

#11391 closed as duplicate of this, also raises the issue that this can happen with field names, not just table names. That should also be addressed.

Note: See TracTickets for help on using tickets.
Back to Top