Re: [Django] #16407: Unicode not working for direct SQL INSERT

2011-07-07 Thread Django 
#16407: Unicode not working for direct SQL INSERT
-+-
   Reporter: |  Owner:  nobody
  mashedmeat | Status:  closed
   Type:  Bug|  Component:  Database layer
  Milestone: |  (models, ORM)
Version:  1.3|   Severity:  Normal
 Resolution:  invalid|   Keywords:
   Triage Stage: |  Has patch:  0
  Unreviewed |Needs tests:  0
Needs documentation:  0  |  Easy pickings:  0
Patch needs improvement:  0  |
  UI/UX:  0  |
-+-

Comment (by lukeplant):

 A quick note - you should use connection.ops.quote_name to quote the table
 name before doing string interpolation. This is not guaranteed to protect
 against malicious input, but can help with spaces and some other funny
 characters.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #16407: Unicode not working for direct SQL INSERT

2011-07-05 Thread Django 
#16407: Unicode not working for direct SQL INSERT
-+-
   Reporter: |  Owner:  nobody
  mashedmeat | Status:  closed
   Type:  Bug|  Component:  Database layer
  Milestone: |  (models, ORM)
Version:  1.3|   Severity:  Normal
 Resolution:  invalid|   Keywords:
   Triage Stage: |  Has patch:  0
  Unreviewed |Needs tests:  0
Needs documentation:  0  |  Easy pickings:  0
Patch needs improvement:  0  |
  UI/UX:  0  |
-+-
Changes (by aaugustin):

 * status:  new => closed
 * resolution:   => invalid


Comment:

 This is not specific to Django; it's a direct consequence of the DB-API
 (PEP 249, if memory serves).

 The database adapter has no way of knowing which parameters should be
 escaped as table names and which parameters should be escaped as "regular
 parameters" — no magic here.

 You must use string interpolation to insert the table name in the SQL
 query, and parameter substitution for the parameters. I hope your table
 names are not derived from user input :) You may validate them against a
 whitelist or a simple regexp if they're really variable.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

Re: [Django] #16407: Unicode not working for direct SQL INSERT

2011-07-05 Thread Django 
#16407: Unicode not working for direct SQL INSERT
-+-
   Reporter: |  Owner:  nobody
  mashedmeat | Status:  new
   Type:  Bug|  Component:  Database layer
  Milestone: |  (models, ORM)
Version:  1.3|   Severity:  Normal
 Resolution: |   Keywords:
   Triage Stage: |  Has patch:  0
  Unreviewed |Needs tests:  0
Needs documentation:  0  |  Easy pickings:  0
Patch needs improvement:  0  |
  UI/UX:  0  |
-+-
Changes (by BernhardEssl):

 * needs_better_patch:   => 0
 * needs_tests:   => 0
 * needs_docs:   => 0


Comment:

 The tablename gets escaped with single quotes, which isn't a correct SQL
 Syntax.

 {{{
 cursor.execute("INSERT INTO %s VALUES (NULL, %s, %s)", ["django_site",
 "foo", "bar"])

 #INSERT INTO 'django_site' VALUES (NULL, 'foo', 'bar')
 }}}

 I'm not sure if this is really a bug.

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.

[Django] #16407: Unicode not working for direct SQL INSERT

2011-07-04 Thread Django 
#16407: Unicode not working for direct SQL INSERT
+--
 Reporter:  mashedmeat  |  Owner:  nobody
 Type:  Bug | Status:  new
Milestone:  |  Component:  Database layer (models, ORM)
  Version:  1.3 |   Severity:  Normal
 Keywords:  |   Triage Stage:  Unreviewed
Has patch:  0   |  Easy pickings:  0
UI/UX:  0   |
+--
 I've only tried this bug using "INSERT INTO" and "INSERT OR REPLACE INTO".
 The problem is that I can't use params. Here's what I was trying:

 {{{
 word = "pickle"
 translation = googleTranslate('english', 'chinese', word) #from, to, word-
 to-be-translated
 cursor.execute("INSERT INTO %s VALUES (%s, %s)", [table, word,
 translation]) # table won't insert here...
 }}}

 In order to bypass this, I had to insert it using a string, which was
 explicitly stated to be a security problem in the documentation:

 {{{
 insert_sql = "INSERT INTO %s VALUES" % (table_name)
 insert_sql = insert_sql + " (%s, %s)"
 cursor.execute(insert_sql, [title, translation])
 }}}

 (the code is a little different, because it's my actual code. I wrote the
 last code bit to try to better illustrate what's going on.)

 Best,
 Loren

-- 
Ticket URL: 
Django 
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To post to this group, send email to django-updates@googlegroups.com.
To unsubscribe from this group, send email to 
django-updates+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/django-updates?hl=en.