Zope 2

sql_quote backslash escape

Bug #142612 reported by Bug Importer
4
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Zope 2
Won't Fix
Medium
Unassigned

Bug Description

I use DocumentTemplate.HTMLFile(s) for sql queries.

Adding a sql_quote to my <dtml-var> tags quotes the ' but entering a \ in a form that is translated to e.g.:

INSERT INTO tblData (column) VALUES ('<dtml-var form_data sql_quote>')

yields an error.

I have added the following line to DT_Var.py and I think it is usefull for all sql_quote users since it's name IMHO suggests something along the lines: "manipulate a string such that it can be used safely as a value-string in a query"

<START CODE>

def sql_quote(v, name='(Unknown name)', md={}):
    """Quote single quotes in a string by doubling them.

    This is needed to securely insert values into sql
    string literals in templates that generate sql.
    THIJS COBBEN: Also backslashes need to be escaped for that
    """
    if v.find("'") >= 0: v = v.replace("'", "''")
    if v.find("\\") >= 0: v = v.replace("\\","\\\\")
    return v

<END CODE>

Revision history for this message
Hanno Schlichting (hannosch) wrote :

Seems like nobody has been in support of this feature in the last years.

Changed in zope2:
status: New → Won't Fix
Revision history for this message
Michael Shulman (shulman) wrote :

I found the lack of this behaviour very confusing! Any function that is presented as "the way to insert string data into a SQL query" should do all quotation necessary so that the actual string passed is the string that the database sees.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.