Project

General

Profile

« Previous | Next » 

Revision 2058

sql.py: mk_select(): Escape all names used (table, column, cond, etc.)

View differences:

lib/sql.py
285 285
    @param table_is_esc Whether the table name has already been escaped
286 286
    @return tuple(query, params)
287 287
    '''
288
    def esc_name_(name): return esc_name(db, name, preserve_case=True)
289
    
288 290
    if conds == None: conds = {}
289 291
    assert limit == None or type(limit) == int
290 292
    assert start == None or type(start) == int
291
    if not table_is_esc: check_name(table)
292
    if fields != None: map(check_name, fields)
293
    map(check_name, conds.keys())
293
    if not table_is_esc: table = esc_name_(table)
294 294
    
295 295
    params = []
296 296
    
......
300 300
            value, col = field
301 301
            sql_ = '%s'
302 302
            params.append(value)
303
            if col != None: sql_ += ' AS '+esc_name(db, col)
304
        else: sql_ = esc_name(db, field) # field is col name
303
            if col != None: sql_ += ' AS '+esc_name_(col)
304
        else: sql_ = esc_name_(field) # field is col name
305 305
        return sql_
306 306
    def cond(entry):
307 307
        '''Parses conditions'''
308 308
        col, value = entry
309
        cond_ = esc_name(db, col)+' '
309
        cond_ = esc_name_(col)+' '
310 310
        if value == None: cond_ += 'IS'
311 311
        else: cond_ += '='
312 312
        cond_ += ' %s'

Also available in: Unified diff