Modify ↓
Opened 14 years ago
Closed 12 years ago
#7671 closed enhancement (wontfix)
SQL Improvements
Reported by: | Martin Scharrer | Owned by: | obs |
---|---|---|---|
Priority: | normal | Component: | RenameTracUsersScript |
Severity: | normal | Keywords: | sql, patch |
Cc: | Trac Release: | 0.11 |
Description
Hi,
I would change the SQL code as follows to e.g. make sure that user input cannot be taken as SQL commands. The trick is to insert the values which need to be constant for SQL first with pythons string substitution, but then provide the user input as arguments to cursor.execute()
.
I didn't had the time and chance to fully test the patch yet, but I should get the point.
-
renametracusersscript_modified/0.11/renametracusers/main.py
48 48 # ticket_change require special attention 49 49 db = self.env.get_db_cnx() 50 50 cur = db.cursor() 51 cur.execute("UPDATE ticket_change SET oldvalue= '%s' WHERE field='owner' AND oldvalue='%s'" %(new_login, old_login))52 cur.execute("UPDATE ticket_change SET newvalue= '%s' WHERE field='owner' AND newvalue='%s'" %(new_login, old_login))51 cur.execute("UPDATE ticket_change SET oldvalue=%s WHERE field='owner' AND oldvalue=%s", (new_login, old_login)) 52 cur.execute("UPDATE ticket_change SET newvalue=%s WHERE field='owner' AND newvalue=%s", (new_login, old_login)) 53 53 db.commit() 54 54 db.close() 55 55 … … 73 73 if field in self.unique.get(table, []): 74 74 db = self.env.get_db_cnx() 75 75 cur = db.cursor() 76 cur.execute("DELETE FROM %s WHERE %s= '%s'" % (table, field, old_login))76 cur.execute("DELETE FROM %s WHERE %s=%%s" % (table, field), (old_login,)) 77 77 db.commit() 78 78 db.close() 79 79 … … 84 84 # XXX this should work, but it doesn't, so instead do this the retarded way (thank you, SQL!) 85 85 # cur.execute("UPDATE %s SET %s=%s WHERE %s=%s", (table, field, new_login, field, old_login)) 86 86 87 cur.execute("UPDATE %s SET %s= '%s' WHERE %s='%s'" % (table, field, new_login, field, old_login))87 cur.execute("UPDATE %s SET %s=%%s WHERE %s=%%s" % (table, field, field), (new_login, old_login)) 88 88 db.commit() 89 89 db.close() 90 90 except:
Attachments (0)
Note: See
TracTickets for help on using
tickets.
Plugin is deprecated, see #10901.