[issue37106] python re.escape doesn't escape some special characters.

[Eric V. Smith]

Eric V. Smith  added the comment:

re.escape() is designed to only escape characters that have special meaning in 
regular expressions. It is not a general purpose escaping mechanism, and it is 
especially dangerous to use it for building SQL statements.

You should be using parameterized SQL queries. See 
https://en.wikipedia.org/wiki/SQL_injection and for example 
https://stackoverflow.com/questions/162/how-to-put-parameterized-sql-query-into-variable-and-then-execute-in-python

In any event, it seems that re.escape() is working as designed, so I'm going to 
close this.

--
resolution:  -> not a bug
stage: test needed -> resolved
status: open -> closed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[MANI M]

MANI M  added the comment:

sorry my bad 

query = "insert into table(column) values('{}')".format(escape("Hello'`~world"))

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[MANI M]

MANI M  added the comment:

I've scripts which insert data into MySQL database. The values may contain 
symbols. Hence in order to escape that I use re.escape(). @erik.smith isn't 
re.escape() supposed to escape all the symbols. If not why is this introduced 
in 3.7 whereas previous versions behave differently.

Example snippet:

import pymysql
from re import escape
def db_connection():
..
..
..

# This throws error.
query = " insert into table(column) 
values('{}'.format(escape("Hello'`~world")))

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[Eric V. Smith]

Eric V. Smith  added the comment:

Could you show a problem caused by the characters that are unescaped? I assume 
you're talking about the ` and ' characters, since that's what your example 
shows. But those aren't listed as "special characters" 
(https://docs.python.org/3.5/library/re.html#regular-expression-syntax), so I'm 
not sure what problem would be caused by them being unescaped.

--
nosy: +eric.smith
stage:  -> test needed

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[Karthikeyan Singaravelan]

Karthikeyan Singaravelan  added the comment:

It's a behavior change from 3.6 and it's present from 3.7.0a1

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[MANI M]

MANI M  added the comment:

Thanks a lot for the info. May I know in what version of python the patches are 
applied? Because still 3.7.3 seems to have the issue.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[Karthikeyan Singaravelan]

Karthikeyan Singaravelan  added the comment:

Please consider posting text content instead of images for better 
accessibility. This could be due to issue29995.

➜  cpython git:(master) python3.6
Python 3.6.4 (default, Mar 12 2018, 13:42:53)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import re
>>> a = r"Hello'`~world"
>>> re.escape(a)
"Hello\\'\\`\\~world"

➜  cpython git:(master) python3.7
Python 3.7.3 (v3.7.3:ef4ec6ed12, Mar 25 2019, 16:52:21)
[Clang 6.0 (clang-600.0.57)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import re
>>> a = r"Hello'`~world"
>>> re.escape(a)
"Hello'`\\~world"

--
nosy: +serhiy.storchaka, xtreak

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue37106] python re.escape doesn't escape some special characters.

[MANI M]

New submission from MANI M :

Recently I figured out an issue in python3 re which doesn't escape some special 
characters.
Not sure whether this bug has been reported already.
Have attached screenshots for your reference.

Steps to reproduce:
1. wget https://www.python.org/ftp/python/3.7.3/Python-3.7.3.tar.xz
2. tar -xvzf Python-3.7.3.tar.xz
3. cd Python-3.7.3
4. ./configure
5. make
6. make install.

GCC version: gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-36)
OS: CentOS Linux release 7.6.1810 (Core)

--
components: Regular Expressions
files: python_3.7.3_bug.png
messages: 344020
nosy: MANI M, ezio.melotti, mrabarnett
priority: normal
severity: normal
status: open
title: python re.escape doesn't escape some special characters.
type: behavior
versions: Python 3.7
Added file: https://bugs.python.org/file48377/python_3.7.3_bug.png

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com