Project

General

Profile

« Previous | Next » 

Revision 644

sql.py: Use esc_name() to escape fields in SELECT statements

View differences:

lib/sql.py
84 84
    map(check_name, conds.keys())
85 85
    def cond(entry):
86 86
        col, value = entry
87
        cond_ = col+' '
87
        cond_ = esc_name(db, col)+' '
88 88
        if value == None: cond_ += 'IS'
89 89
        else: cond_ += '='
90 90
        cond_ += ' %s'
91 91
        return cond_
92
    query = 'SELECT '+', '.join(fields)+' FROM '+table
92
    query = ('SELECT ' + ', '.join([esc_name(db, field) for field in fields])
93
        + ' FROM '+esc_name(db, table))
93 94
    if conds != {}:
94 95
        query += ' WHERE '+' AND '.join(map(cond, conds.iteritems()))
95 96
    if limit != None: query += ' LIMIT '+str(limit)

Also available in: Unified diff