Opened 5 years ago

Closed 22 months ago

#7671 closed enhancement (wontfix)

SQL Improvements

Reported by: martin_s Owned by: obs
Priority: normal Component: RenameTracUsersScript
Severity: normal Keywords: sql, patch
Cc: Trac Release: 0.11



I would change the SQL code as follows to e.g. make sure that user input cannot be taken as SQL commands. The trick is to insert the values which need to be constant for SQL first with pythons string substitution, but then provide the user input as arguments to cursor.execute().

I didn't had the time and chance to fully test the patch yet, but I should get the point.

  • renametracusersscript_modified/0.11/renametracusers/

    4848        # ticket_change require special attention
    4949        db = self.env.get_db_cnx()
    5050        cur = db.cursor()
    51         cur.execute("UPDATE ticket_change SET  oldvalue='%s' WHERE field='owner' AND oldvalue='%s'" % (new_login, old_login))
    52         cur.execute("UPDATE ticket_change SET  newvalue='%s' WHERE field='owner' AND newvalue='%s'" % (new_login, old_login))
     51        cur.execute("UPDATE ticket_change SET  oldvalue=%s WHERE field='owner' AND oldvalue=%s", (new_login, old_login))
     52        cur.execute("UPDATE ticket_change SET  newvalue=%s WHERE field='owner' AND newvalue=%s", (new_login, old_login))
    5353        db.commit()
    5454        db.close()
    7373                if field in self.unique.get(table, []):
    7474                    db = self.env.get_db_cnx()
    7575                    cur = db.cursor()
    76                     cur.execute("DELETE FROM %s WHERE %s='%s'" % (table, field, old_login))
     76                    cur.execute("DELETE FROM %s WHERE %s=%%s" % (table, field), (old_login,))
    7777                    db.commit()
    7878                    db.close()
    8484                    # XXX this should work, but it doesn't, so instead do this the retarded way (thank you, SQL!)
    8585                    # cur.execute("UPDATE %s SET %s=%s WHERE %s=%s", (table, field, new_login, field, old_login))
    87                     cur.execute("UPDATE %s SET %s='%s' WHERE %s='%s'" % (table, field, new_login, field, old_login))
     87                    cur.execute("UPDATE %s SET %s=%%s WHERE %s=%%s" % (table, field, field), (new_login, old_login))
    8888                    db.commit()
    8989                    db.close()
    9090                except:

Attachments (0)

Change History (1)

comment:1 Changed 22 months ago by rjollos

  • Resolution set to wontfix
  • Status changed from new to closed

Plugin is deprecated, see #10901.

Add Comment

Modify Ticket

as closed The owner will remain obs.
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.