Please use web2py 2.0.9+ executesql was re-written.
On Wednesday, 10 October 2012 20:23:17 UTC-5, chris_g wrote:
>
> I opened the ticket as you suggested and you've confirmed that
> in executesql the values in the placeholders argument are passed directly
> to the driver without escaping.
> I've tried doing the same call with the MSSQL adaptor using the pyodbc
> driver.
> db.executesql("insert into test1 (t1) VALUES (?)", placeholders =("'1'",))
>
> This time the values are escaped and all is well.
> So I am still unclear if this is a web2py bug in the implementation of
> executesql or a difference in how the underlying drivers perform.
> I also note that there was a change in drivers from MySQLdb to pymysql
> in web2py 1.90 . I will also try this testDB method with 1.89.1 .
>
> In the short term, as I want to use executesql with both MSSQL and MySQL I
> will probably write a wrapper function like this:
>
> def executesql(db, query, placeholders=None, as_dict=False):
> if db._name=='mssql':
> query = query.replace('%s', '?')
> elif db._name=='mysql':
> if placeholders is not None:
> placeholders = mysql_escape(placeholders)
> return db.executesql(query, placeholders, as_dict)
>
>
> Is there a single mysql_escape function that I should be using from the
> pymysql driver or should I be writing my own?
>
>
> On Wednesday, October 10, 2012 1:31:59 PM UTC+11, Massimo Di Pierro wrote:
>>
>> Please open a ticket about this. I can fix it later tonight or tomorrow.
>>
>>
--
