I opened the ticket as you suggested and you've confirmed that
in executesql the values in the placeholders argument are passed directly
to the driver without escaping.
I've tried doing the same call with the MSSQL adaptor using the pyodbc
driver.
db.executesql("insert into test1 (t1) VALUES (?)", placeholders =("'1'",))
This time the values are escaped and all is well.
So I am still unclear if this is a web2py bug in the implementation of
executesql or a difference in how the underlying drivers perform.
I also note that there was a change in drivers from MySQLdb to pymysql
in web2py 1.90 . I will also try this testDB method with 1.89.1 .
In the short term, as I want to use executesql with both MSSQL and MySQL I
will probably write a wrapper function like this:
def executesql(db, query, placeholders=None, as_dict=False):
if db._name=='mssql':
query = query.replace('%s', '?')
elif db._name=='mysql':
if placeholders is not None:
placeholders = mysql_escape(placeholders)
return db.executesql(query, placeholders, as_dict)
Is there a single mysql_escape function that I should be using from the
pymysql driver or should I be writing my own?
On Wednesday, October 10, 2012 1:31:59 PM UTC+11, Massimo Di Pierro wrote:
>
> Please open a ticket about this. I can fix it later tonight or tomorrow.
>
>
--
