Revision 2058
Added by Aaron Marcuse-Kubitza over 12 years ago
| lib/sql.py | ||
|---|---|---|
| 285 | 285 |
@param table_is_esc Whether the table name has already been escaped |
| 286 | 286 |
@return tuple(query, params) |
| 287 | 287 |
''' |
| 288 |
def esc_name_(name): return esc_name(db, name, preserve_case=True) |
|
| 289 |
|
|
| 288 | 290 |
if conds == None: conds = {}
|
| 289 | 291 |
assert limit == None or type(limit) == int |
| 290 | 292 |
assert start == None or type(start) == int |
| 291 |
if not table_is_esc: check_name(table) |
|
| 292 |
if fields != None: map(check_name, fields) |
|
| 293 |
map(check_name, conds.keys()) |
|
| 293 |
if not table_is_esc: table = esc_name_(table) |
|
| 294 | 294 |
|
| 295 | 295 |
params = [] |
| 296 | 296 |
|
| ... | ... | |
| 300 | 300 |
value, col = field |
| 301 | 301 |
sql_ = '%s' |
| 302 | 302 |
params.append(value) |
| 303 |
if col != None: sql_ += ' AS '+esc_name(db, col)
|
|
| 304 |
else: sql_ = esc_name(db, field) # field is col name
|
|
| 303 |
if col != None: sql_ += ' AS '+esc_name_(col)
|
|
| 304 |
else: sql_ = esc_name_(field) # field is col name
|
|
| 305 | 305 |
return sql_ |
| 306 | 306 |
def cond(entry): |
| 307 | 307 |
'''Parses conditions''' |
| 308 | 308 |
col, value = entry |
| 309 |
cond_ = esc_name(db, col)+' '
|
|
| 309 |
cond_ = esc_name_(col)+' '
|
|
| 310 | 310 |
if value == None: cond_ += 'IS' |
| 311 | 311 |
else: cond_ += '=' |
| 312 | 312 |
cond_ += ' %s' |
Also available in: Unified diff
sql.py: mk_select(): Escape all names used (table, column, cond, etc.)