On Thursday 11 December 2008 06:03:27 am Dabo Trac wrote: > #1190: Proper escaping of quotes in Postgres > ----------------------+---------------------------------------------------- >- Reporter: cito | Owner: somebody > Type: defect | Status: new > Priority: major | Milestone: 0.8.3 > Component: ui | Version: 0.8.4 > Keywords: postgres | > ----------------------+---------------------------------------------------- >- In `dbPostgreSQL`, single quotes are currently escaped using a backslash. > This can lead to problems in newer Postgres versions (see > [http://postgresql.mirrors-r-us.net/docs/techdocs-12.html here]) where > backslash quoting can be restricted or completely switched off. The proper > and SQL standard way for escaping quotes is by doubling them instead of > using the backslash. > > The patch simplifies fixes the `escQuote()` method accordingly and also > simplifies `formatDateTime()` a bit. > > Note that we are dealing with unicode strings here. The proper way of > quoting encoded strings would be by calling `QuotedString()` from > `psycopg2.extensions`, which calls a special PostgreSQL function that does > so in a secure way.
Thanks I have not reviewed the patch. But have you tested your patch against postgres 7.4 and against psycopg 1.x? For the moment we are still providing ways to support both. I know that postgres 7.4 and psycopg 1 are very old but it was a request from Ed. When we started 7.4 was the dominant postgres version in use and psycopg 1 was the only version. I know this sounds limiting. But if you can test would you? I no longer have access to 7.4. Also keep in mind that Dabo needs to be database agnostic with respect to the Dabo interface. So any enhancments have to be weighted against what Dabo needs. That said, I believe we should drop support for postgres 7.4 and psycopg 1. And I think we should use all the features that Postgres offers and psycopg 2 has to offer. Your example of using the `QuotedString()` is only one of several that could be used. It would take some programming to the Dabo interface (actually I'm not sure - I haven't looked in a long time) to allow use of some features but it could be done. You may not be aware but some time in the future Dabo is scheduled to move away from the present use of dbPostgres and other database interfaces. And move to SQLAchemy or the some other tool to access data. Just a FYI. Please do not consider these statements in a negative way because I do not want to discourage you in anyway. In fact it is nice to see someone else that takes the time to help with the interface to postgres. Just be aware. -- John Fabiani _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/dabo-dev Searchable Archives: http://leafe.com/archives/search/dabo-dev This message: http://leafe.com/archives/byMID/[EMAIL PROTECTED]
