@Jun Omae, Yes I understand. I explore the database api document and change
my code accordingly. And about the single and double quotes, actually we
faced some issue when inserting some text with single quotes to postgresql
database in past. So from that experience, we started avoiding the quotes.
But let me retry the right way to store them to db instead of removing them.
And about the \n and \r, frankly I removed them because if many
newlines are there in user's input it occupies the database and makes it
very big in size(not sure it really occupies spaces in terms of Bytes but I
am talking about the look in terminal, it looks huge in terminal when
selected). I welcome your opinion and the good practices about handling
them.
Coming to my above problem, I altered the way the query is prepared now
I tried the below code and it worked.
query = "insert into ticket_time ( exclusion, time_submitted,
seconds_worked, submitter, worker, modified, comments, ticket_time_status,
reason, time_started, ticket) values %s returning
id,ticket,exclusion,reason,time_started"
cursor.execute(query, (values,))
In the above chunk, values is a string and I am making passing it into a
tuple and that in turn is passed to execute statement. Now the I did no
conversion to unicodes. Input from my user is encoded to unicode when
accessing the request arguments( say req.args.get("comments")). Then I am
just passing that value to execute statement directly so it is stored into
database. Retrieval also works well without issues.
On Monday, March 9, 2020 at 11:38:38 AM UTC+5:30, Jun Omae wrote:
>
> On Sun, Mar 8, 2020 at 4:08 PM Velu Narasimman <[email protected]
> <javascript:>> wrote:
> >
> > Method: 1
> >
> > When I just used the below,
> > detail['comments']
> >
> > Query is read as
> > insert into ticket_time ( exclusion, time_submitted, seconds_worked,
> submitter, worker, modified, comments, ticket_time_status, reason,
> time_started, ticket) values ('on-premise', 1583650057, 7200.0,
> 'sergio.martinez', 'sergio.martinez', 1583650057, u'BRD_PAG_009 Pago
> Establecimientos BRD_ACT_015 Maduraci\\xf3n de Operaciones de Cr\\xe9dito',
> 0, 'mentoring/review', 1583346600, 1693) returning
> id,ticket,exclusion,reason,time_started
> >
>
> Instead of constructing SQL statements, you should use DB API.
> Removing single-quote, double-quote and control characters to
> construct SQL statements is bad practice.
>
> See also https://trac.edgewall.org/wiki/TracDev/DatabaseApi
>
>
> --
> Jun Omae <[email protected] <javascript:>> (大前 潤)
>
--
You received this message because you are subscribed to the Google Groups "Trac
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/trac-users/c99cc718-00ce-43e3-953b-ed3f92bb1a57%40googlegroups.com.
