Keep in mind, if you are using the Django ORM, you don't need to worry about quoting names: it will do it for you. Only if you are creating SQL statements as strings yourself do you need to think about quoting.
Also, I'm not sure what you need done to the variable that quoting isn't doing. Perhaps if you included some more context of your problem... --Ned. http://nedbatchelder.com/blog Nianbig wrote: > > On Dec 9, 12:57 am, "Karen Tracey" <[EMAIL PROTECTED]> wrote: > >> On Dec 8, 2007 5:58 PM, Nianbig <[EMAIL PROTECTED]> wrote: >> >> >> >> >> >> >>> On Dec 8, 11:54 pm, Malcolm Tredinnick <[EMAIL PROTECTED]> >>> wrote: >>> >>>> On Sat, 2007-12-08 at 14:28 -0800, Nianbig wrote: >>>> >>>>> I´m trying to use django.db.backend.quote_name function to prevent >>>>> >>> SQL- >>> >>>>> injection, as stated in the Django Book Security-chapter, >>>>> http://www.djangobook.com/en/beta/chapter20/. >>>>> >>>>> But I'm having difficulties in getting it working, "Could not import >>>>> portal.objects.views.start. Error was: cannot import name quote_name". >>>>> I´m using 0.9.1, is this function only available in the development >>>>> branch? >>>>> >>>> You aren't going to have much success at all using the Django Book with >>>> 0.91. There were *massive* changes between 0.91 and 0.9, whereby the >>>> source code was quite drastically rearranged, amongst other things. >>>> Basically 0.91 and 0.96 (the version used for the book) are quite >>>> different animals and the code you write with each one is sufficiently >>>> different that if you're not able to search through the source to find >>>> quote_name, you're going to be completely stuck further down the road. >>>> >>>> Quote_name() does exist in 0.91, but since django.db doesn't exist, you >>>> need to look under django.core.db.* in that case. But seriously, trying >>>> to use the Django Book with 0.91 will only lead to tears. In fact, >>>> trying to use 0.91 for anything except unbelievably profitable legacy >>>> code isn't recommended, there have been far too many improvements in the >>>> intervening two years. >>>> >>> Sorry, my fault. I´m using _0.9.6.1_ not 0.9.1... Missed a "6" there. >>> >> Now that that is cleared up, it sounds like you are trying to do: >> >> from django.db.backend import quote_name >> >> try instead: >> >> from django.db import backend >> >> and then use backend.quote_name() where you want to quote stuff. >> >> > > Thank you, it works! > The function doesn't really do what I want though... I thought it was > going to escape a POST-variable to be SQL-secure... but it just adds > quotes around it.. > Is there another function for this? > > Thanks again. > /Nianbig > > > > -- Ned Batchelder, http://nedbatchelder.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
