#34459: contrib.postgres.search.SearchVector.as_sql can return query strings
that
are unsafe to combine
--------------------------------------------+------------------------
Reporter: Patryk Zawadzki | Owner: (none)
Type: Bug | Status: new
Component: contrib.postgres | Version: 4.2
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
--------------------------------------------+------------------------
As the function specifically calls {{{connection.ops.compose_sql}}}, the
returned {{{sql}}} will have all parameters inlined.
An unintended consequence is that if you pass it a value that contains a
percent sign, like {{{Value("10% OFF")}}}, the resulting {{{sql}}} will
have the {{{%}}} character inlined. Such values will result in a
{{{ProgrammingError}}} as soon as you attempt to combine the SearchVector
with any expression that relies on {{{params}}}.
Depending on whether you use psycopg2 or psycopg 3, the resulting error
will tell you that there are not enough params to format the query
template or that there is an unescaped {{{%}}} in the query.
--
Ticket URL: <https://code.djangoproject.com/ticket/34459>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to django-updates+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/010701874d04f30c-1889f518-f165-46de-ab0e-dc4a6915c668-000000%40eu-central-1.amazonses.com.
