#16407: Unicode not working for direct SQL INSERT
-------------------------------------+-------------------------------------
Reporter: | Owner: nobody
mashedmeat | Status: closed
Type: Bug | Component: Database layer
Milestone: | (models, ORM)
Version: 1.3 | Severity: Normal
Resolution: invalid | Keywords:
Triage Stage: | Has patch: 0
Unreviewed | Needs tests: 0
Needs documentation: 0 | Easy pickings: 0
Patch needs improvement: 0 |
UI/UX: 0 |
-------------------------------------+-------------------------------------
Changes (by aaugustin):
* status: new => closed
* resolution: => invalid
Comment:
This is not specific to Django; it's a direct consequence of the DB-API
(PEP 249, if memory serves).
The database adapter has no way of knowing which parameters should be
escaped as table names and which parameters should be escaped as "regular
parameters" — no magic here.
You must use string interpolation to insert the table name in the SQL
query, and parameter substitution for the parameters. I hope your table
names are not derived from user input :) You may validate them against a
whitelist or a simple regexp if they're really variable.
--
Ticket URL: <https://code.djangoproject.com/ticket/16407#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/django-updates?hl=en.
