Project

General

Profile

« Previous | Next » 

Revision 2762

Added by Aaron Marcuse-Kubitza over 12 years ago

sql.py: DbConn.DbCursor.execute(): If not using params, escape the query using strings.esc_for_mogrify() in case any literals contained "%"s

View differences:

lib/sql.py
105 105 
    try: return value(cur)
106 106 
    except StopIteration: return None
107 107 

  		




  108
  
  
    
##### Input validation


  		




  
  108
  
    
##### Escaping


  		




  109
  109
  
    

  		




  110
  110
  
    
def esc_name_by_module(module, name):


  		




  111
  111
  
    
    if module == 'psycopg2' or module == None: quote = '"'


  		




  ......




  212
  212
  
    
            self.result = []


  		




  213
  213
  
    
        


  		




  214
  214
  
    
        def execute(self, query, params=None):


  		




  
  215
  
    
            if params == None or params == [] or params == ():# not using params


  		




  
  216
  
    
                esc_query = strings.esc_for_mogrify(query)


  		




  
  217
  
    
            else: esc_query = query


  		




  
  218
  
    
            


  		




  215
  219
  
    
            self._is_insert = query.upper().find('INSERT') >= 0


  		




  216
  220
  
    
            self.query_lookup = _query_lookup(query, params)


  		




  217
  221
  
    
            try:


  		




  218
  222
  
    
                try:


  		




  219
  
  
    
                    return_value = self.inner.execute(query, params)


  		




  
  223
  
    
                    cur = self.inner.execute(esc_query, params)


  		




  220
  224
  
    
                    self.outer.do_autocommit()


  		




  221
  225
  
    
                finally: self.query = get_cur_query(self.inner, query, params)


  		




  222
  226
  
    
            except Exception, e:


  		




  ......




  226
  230
  
    
                raise


  		




  227
  231
  
    
            # Fetch all rows so result will be cached


  		




  228
  232
  
    
            if self.rowcount == 0 and not self._is_insert: consume_rows(self)


  		




  229
  
  
    
            return return_value


  		




  
  233
  
    
            return cur


  		




  230
  234
  
    
        


  		




  231
  235
  
    
        def fetchone(self):


  		




  232
  236
  
    
            row = self.inner.fetchone()


  		












Also available in:  Unified diff