On Thu, 2006-04-13 at 16:53 -0500, Ian Bicking wrote:
> In SQL-API I'm running all parameters through a database-specific
> wrapper, so they can futz with types if they need to (e.g., if they
> can't support normal datetime objects). Probably anything that uses
> pyformat should also have % quoted in non-parameter text; I think they
> all use "query % parameters".
Yes, this is the problem I mentioned at PyCon. The ones I checked all
seem to be consistent in this behavior. I added a small method to
Trac's DB layer to escape "%" inside SQL literal strings:
def sql_escape_percent(sql):
import re
return re.sub("'((?:[^']|(?:''))*)'", lambda m: m.group(0).replace('%',
'%%'), sql)
This works as long as you only use the ANSI quoting using two single
quotes, but doesn't account for DBs like PostgreSQL that also use
backslashes. I guess it would also probably break if you had a single
quote inside a quoted column or table name, but that's just asking for
trouble.
--
Matt Good <[EMAIL PROTECTED]>
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
sqlobject-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
