Modify

Opened 14 years ago

Closed 12 years ago

#7671 closed enhancement (wontfix)

SQL Improvements

Reported by: Martin Scharrer Owned by: obs
Priority: normal Component: RenameTracUsersScript
Severity: normal Keywords: sql, patch
Cc: Trac Release: 0.11

Description

Hi,

I would change the SQL code as follows to e.g. make sure that user input cannot be taken as SQL commands. The trick is to insert the values which need to be constant for SQL first with pythons string substitution, but then provide the user input as arguments to cursor.execute().

I didn't had the time and chance to fully test the patch yet, but I should get the point.

  • renametracusersscript_modified/0.11/renametracusers/main.py

     
    4848        # ticket_change require special attention
    4949        db = self.env.get_db_cnx()
    5050        cur = db.cursor()
    51         cur.execute("UPDATE ticket_change SET  oldvalue='%s' WHERE field='owner' AND oldvalue='%s'" % (new_login, old_login))
    52         cur.execute("UPDATE ticket_change SET  newvalue='%s' WHERE field='owner' AND newvalue='%s'" % (new_login, old_login))
     51        cur.execute("UPDATE ticket_change SET  oldvalue=%s WHERE field='owner' AND oldvalue=%s", (new_login, old_login))
     52        cur.execute("UPDATE ticket_change SET  newvalue=%s WHERE field='owner' AND newvalue=%s", (new_login, old_login))
    5353        db.commit()
    5454        db.close()
    5555
     
    7373                if field in self.unique.get(table, []):
    7474                    db = self.env.get_db_cnx()
    7575                    cur = db.cursor()
    76                     cur.execute("DELETE FROM %s WHERE %s='%s'" % (table, field, old_login))
     76                    cur.execute("DELETE FROM %s WHERE %s=%%s" % (table, field), (old_login,))
    7777                    db.commit()
    7878                    db.close()
    7979
     
    8484                    # XXX this should work, but it doesn't, so instead do this the retarded way (thank you, SQL!)
    8585                    # cur.execute("UPDATE %s SET %s=%s WHERE %s=%s", (table, field, new_login, field, old_login))
    8686                   
    87                     cur.execute("UPDATE %s SET %s='%s' WHERE %s='%s'" % (table, field, new_login, field, old_login))
     87                    cur.execute("UPDATE %s SET %s=%%s WHERE %s=%%s" % (table, field, field), (new_login, old_login))
    8888                    db.commit()
    8989                    db.close()
    9090                except:

Attachments (0)

Change History (1)

comment:1 Changed 12 years ago by Ryan J Ollos

Resolution: wontfix
Status: newclosed

Plugin is deprecated, see #10901.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain obs.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.