Modify ↓
#12423 closed defect (fixed)
SQL errors when used with Postgres
| Reported by: | anonymous | Owned by: | lucid |
|---|---|---|---|
| Priority: | normal | Component: | WeekPlanPlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 1.0 |
Description
The field name "end" seems to be a reserved word in Postgres, so it needs to be quoted, otherwise I get SQL errors when adding events. Putting double quotes around all its instances in model.py fixes it.
Attachments (1)
Change History (8)
comment:1 Changed 9 years ago by
Changed 9 years ago by
| Attachment: | th12423-weekplanplugin-quote-end.diff added |
|---|
comment:2 Changed 9 years ago by
Thanks for the hint to db.quote().
Could anyone review or test the attached patch with Postgres?
Quoting the column name makes the code quite a bit uglier. I guess at some point the column could be renamed in a DB upgrade.
comment:3 Changed 9 years ago by
The patch seems to be good, but the plugin has SQL injection in the plans argument of select_by_plans_and_time(). We should use Parameter passing in trac:wiki:TracDev/DatabaseApi#Parameterpassing.
Change
with env.db_query as db: plan_sql = ','.join(["'%s'" % plan for plan in plans]) rows = db(""" SELECT id, plan, title, start, %s FROM weekplan WHERE plan in (%s) AND start < %%s AND %s > %%s """ % (db.quote('end'), plan_sql, db.quote('end')), (to_utimestamp(end), to_utimestamp(start)))
to
if not plans: return [] with env.db_query as db: plan_holder = ','.join(['%s'] * len(plans)) rows = db(""" SELECT id, plan, title, start, %s FROM weekplan WHERE plan IN (%s) AND start < %%s AND %s > %%s """ % (db.quote('end'), plan_holder, db.quote('end')), list(plans) + [to_utimestamp(end), to_utimestamp(start)])
Note: See
TracTickets for help on using
tickets.
Yeah, it is a reserved word. For cross-db compatibility, quote it using
db.quote()from the Trac database API.