#12923: Base last_executed_query() does not escape parameters
---------------------------------------------------+------------------------
Reporter: pablobm | Owner: pablobm
Status: assigned | Milestone:
Component: Database layer (models, ORM) | Version: 1.2-beta
Resolution: | Keywords:
last_executed_query escaping
Stage: Accepted | Has_patch: 1
Needs_docs: 0 | Needs_tests: 1
Needs_better_patch: 1 |
---------------------------------------------------+------------------------
Changes (by pablobm):
* owner: nobody => pablobm
* status: new => assigned
Comment:
I've been working on this one today. I'm not entirely sure what the best
approach would be, so I need a bit of advice at this point. The new patch
provides a test, passing for the MySQL and SQLite backends.
I'm not entirely happy about the test. Testing the strings in such a
literal fashion looks a bit brittle to me. However, it's the string that
we are checking after all, so couldn't think of anything better.
Also, I have created a new method on the abstract backend. It's called
`construct_query()` and makes the SQL template and the params into a
"final" SQL query. It also receives the cursor so subclasses can use
backend-specific methods. I provide generic quoting+escaping, later
overriden on the MySQL subclass.
The method `contruct_query()` is called by `last_executed_query()`,
therefore the Unicode conversions in the latter method are kept.
Before going on to implement this for other backends, can I have some
feedback on this one, please?
--
Ticket URL: <http://code.djangoproject.com/ticket/12923#comment:2>
Django <http://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
