Modify

Opened 4 years ago

Closed 16 months ago

#7671 closed enhancement (wontfix)

SQL Improvements

Reported by: martin_s Owned by: obs
Priority: normal Component: RenameTracUsersScript
Severity: normal Keywords: sql, patch
Cc: Trac Release: 0.11

Description

Hi,

I would change the SQL code as follows to e.g. make sure that user input cannot be taken as SQL commands. The trick is to insert the values which need to be constant for SQL first with pythons string substitution, but then provide the user input as arguments to cursor.execute().

I didn't had the time and chance to fully test the patch yet, but I should get the point.

  • renametracusersscript_modified/0.11/renametracusers/main.py

     
    4848        # ticket_change require special attention 
    4949        db = self.env.get_db_cnx() 
    5050        cur = db.cursor() 
    51         cur.execute("UPDATE ticket_change SET  oldvalue='%s' WHERE field='owner' AND oldvalue='%s'" % (new_login, old_login)) 
    52         cur.execute("UPDATE ticket_change SET  newvalue='%s' WHERE field='owner' AND newvalue='%s'" % (new_login, old_login)) 
     51        cur.execute("UPDATE ticket_change SET  oldvalue=%s WHERE field='owner' AND oldvalue=%s", (new_login, old_login)) 
     52        cur.execute("UPDATE ticket_change SET  newvalue=%s WHERE field='owner' AND newvalue=%s", (new_login, old_login)) 
    5353        db.commit() 
    5454        db.close() 
    5555 
     
    7373                if field in self.unique.get(table, []): 
    7474                    db = self.env.get_db_cnx() 
    7575                    cur = db.cursor() 
    76                     cur.execute("DELETE FROM %s WHERE %s='%s'" % (table, field, old_login)) 
     76                    cur.execute("DELETE FROM %s WHERE %s=%%s" % (table, field), (old_login,)) 
    7777                    db.commit() 
    7878                    db.close() 
    7979 
     
    8484                    # XXX this should work, but it doesn't, so instead do this the retarded way (thank you, SQL!) 
    8585                    # cur.execute("UPDATE %s SET %s=%s WHERE %s=%s", (table, field, new_login, field, old_login)) 
    8686                     
    87                     cur.execute("UPDATE %s SET %s='%s' WHERE %s='%s'" % (table, field, new_login, field, old_login)) 
     87                    cur.execute("UPDATE %s SET %s=%%s WHERE %s=%%s" % (table, field, field), (new_login, old_login)) 
    8888                    db.commit() 
    8989                    db.close() 
    9090                except: 

Attachments (0)

Change History (1)

comment:1 Changed 16 months ago by rjollos

  • Resolution set to wontfix
  • Status changed from new to closed

Plugin is deprecated, see #10901.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.