sql_quote backslash escape
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Won't Fix
|
Medium
|
Unassigned |
Bug Description
I use DocumentTemplat
Adding a sql_quote to my <dtml-var> tags quotes the ' but entering a \ in a form that is translated to e.g.:
INSERT INTO tblData (column) VALUES ('<dtml-var form_data sql_quote>')
yields an error.
I have added the following line to DT_Var.py and I think it is usefull for all sql_quote users since it's name IMHO suggests something along the lines: "manipulate a string such that it can be used safely as a value-string in a query"
<START CODE>
def sql_quote(v, name='(Unknown name)', md={}):
"""Quote single quotes in a string by doubling them.
This is needed to securely insert values into sql
string literals in templates that generate sql.
THIJS COBBEN: Also backslashes need to be escaped for that
"""
if v.find("'") >= 0: v = v.replace("'", "''")
if v.find("\\") >= 0: v = v.replace(
return v
<END CODE>
Seems like nobody has been in support of this feature in the last years.