Opened 8 years ago

Closed 5 years ago

#7671 closed enhancement (wontfix)

SQL Improvements

Reported by: Martin Scharrer Owned by: obs
Priority: normal Component: RenameTracUsersScript
Severity: normal Keywords: sql, patch
Cc: Trac Release: 0.11



I would change the SQL code as follows to e.g. make sure that user input cannot be taken as SQL commands. The trick is to insert the values which need to be constant for SQL first with pythons string substitution, but then provide the user input as arguments to cursor.execute().

I didn't had the time and chance to fully test the patch yet, but I should get the point.

  • renametracusersscript_modified/0.11/renametracusers/

    4848        # ticket_change require special attention
    4949        db = self.env.get_db_cnx()
    5050        cur = db.cursor()
    51         cur.execute("UPDATE ticket_change SET  oldvalue='%s' WHERE field='owner' AND oldvalue='%s'" % (new_login, old_login))
    52         cur.execute("UPDATE ticket_change SET  newvalue='%s' WHERE field='owner' AND newvalue='%s'" % (new_login, old_login))
     51        cur.execute("UPDATE ticket_change SET  oldvalue=%s WHERE field='owner' AND oldvalue=%s", (new_login, old_login))
     52        cur.execute("UPDATE ticket_change SET  newvalue=%s WHERE field='owner' AND newvalue=%s", (new_login, old_login))
    5353        db.commit()
    5454        db.close()
    7373                if field in self.unique.get(table, []):
    7474                    db = self.env.get_db_cnx()
    7575                    cur = db.cursor()
    76                     cur.execute("DELETE FROM %s WHERE %s='%s'" % (table, field, old_login))
     76                    cur.execute("DELETE FROM %s WHERE %s=%%s" % (table, field), (old_login,))
    7777                    db.commit()
    7878                    db.close()
    8484                    # XXX this should work, but it doesn't, so instead do this the retarded way (thank you, SQL!)
    8585                    # cur.execute("UPDATE %s SET %s=%s WHERE %s=%s", (table, field, new_login, field, old_login))
    87                     cur.execute("UPDATE %s SET %s='%s' WHERE %s='%s'" % (table, field, new_login, field, old_login))
     87                    cur.execute("UPDATE %s SET %s=%%s WHERE %s=%%s" % (table, field, field), (new_login, old_login))
    8888                    db.commit()
    8989                    db.close()
    9090                except:

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

Plugin is deprecated, see #10901.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain obs.
The resolution will be deleted.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.