% symbols not escaped in db_column column names when preparing queries
|Reported by:||Daniel Pope <dan@…>||Owned by:||nobody|
|Component:||Database layer (models, ORM)||Version:||master|
|Has patch:||yes||Needs documentation:||no|
|Needs tests:||yes||Patch needs improvement:||no|
Using % in database column names (specified using db_column) causes the database wrapper to fail when preparing queries.
This is because the % symbol is not properly quoted (as %%), and conflicts with the usage of %s for passing parameters to queries.
I am attaching a patch for the MySQL backend where I encountered the issue; I'm not sure if other backends exhibit this bug because it presumably depends both on whether the database's native capability to support % characters in column names, and on the Python DB-API paramstyle.
Change History (7)
Changed 8 years ago by Daniel Pope <dan@…>
comment:1 Changed 8 years ago by Simon Greenhill <dev@…>
- Needs documentation unset
- Needs tests unset
- Patch needs improvement unset
- Triage Stage changed from Unreviewed to Design decision needed