#12923: Base last_executed_query() does not escape parameters
------------------------------------------+---------------------------------
Reporter: pablobm | Owner: nobody
Status: new | Milestone:
Component: Database layer (models, ORM) | Version: 1.2-beta
Keywords: last_executed_query escaping | Stage: Unreviewed
Has_patch: 1 |
------------------------------------------+---------------------------------
The base implementation of `last_executed_query()` does not escape its
parameters. For example, a query like the following is returned:
{{{
u'SELECT * FROM things WHERE name = unscaped"stuff'
}}}
When it should be something along the lines of:
{{{
u'SELECT * FROM things WHERE name = "unscaped\"stuff"'
}}}
Nevertheless, it can be argued that `BaseDatabaseOperations` does not make
assumptions as to what quoting scheme each different database prefers. In
this case, then the problem is that the MySQL backend (and probably all
others except `postgresql_psycopg2`) suffer this problem, by not
implementing their own versions of `last_executed_query()`.
A specific third-party piece of software that is affected by this problem
is ''django-devserver''. This raises an exception in my computer when it
tries to display recently executed SQL statements that contain characters
such as quotes, as it relies on `last_executed_query()` to do so.
I'm attaching a patch for 1.2-beta, although 1.1 is affected too. It
implements a MySQL-specific solution in the appropriate backend.
--
Ticket URL: <http://code.djangoproject.com/ticket/12923>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
