Cross-db compatibility issue (SQLite can't insert multiple rows at once)
|Reported by:||rjollos||Owned by:||ChrisNelson|
Description (last modified by rjollos)
As Steffen pointed out in the mailing list thread, the plugin doesn't follow the Trac rules for DB API usage, as described in t:TracDev/DatabaseApi#RulesforDBAPIUsage. This will result in cross-db compatibility issues and the possibility of SQL injection.
Here is an example fix (untested, as I don't understand the plugin well enough to execute this pathway or write a test):
diff --git a/tracjsganttplugin/0.11/tracjsgantt/tracpm.py b/tracjsganttplugin/0. index 0f0c4ba..d5a90d7 100644
a b class TicketRescheduler(Component): 2904 2904 values.append(t['id']) 2905 2905 values.append(to_utimestamp(self.pm.start(t))) 2906 2906 values.append(to_utimestamp(self.pm.finish(t))) 2907 cursor.execute('INSERT INTO schedule' + \ 2908 ' (ticket, start, finish)' + \ 2909 ' VALUES %s' % valuesClause, 2910 values) 2911 2907 cursor.execute(""" 2908 INSERT INTO schedule (ticket, start, finish) 2909 VALUES %s""" % valuesClause, values) 2912 2910 2913 2911 # Finally, add history records to schedule_change 2914 2912 # for newly scheduled tickets.
Change History (29)
comment:12 Changed 3 years ago by ChrisNelson
- Priority changed from normal to high
- Severity changed from normal to major
comment:14 Changed 3 years ago by ChrisNelson
comment:16 in reply to: ↑ description ; follow-up: ↓ 17 Changed 3 years ago by ChrisNelson
comment:20 Changed 3 years ago by ChrisNelson
- Summary changed from Cross-db compatibility issues and possibility of SQL injection to Cross-db compatibility issue (SQLite can't insert multiple rows at once)