Context Navigation

Modify ↓

#3129 closed defect (wontfix)

sql_sub_vars needs to escape formatstring characters.

Reported by:	itsme@…	Owned by:	Remy Blank
Priority:	low	Milestone:
Component:	report system	Version:	0.9.5
Severity:	minor	Keywords:
Cc:	itsme@…	Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Remy Blank)

in report.py, in the function sql_sub_vars before substituting variables, the whole string should be format-string escaped

'\' should be replaced with '\\'
'%' should be replaced with '%%'

this will make it possible to write things like: field LIKE '%$PARAM%' in reports.

old tickets that relate to this subject: #1418 and #2536 and #2568

Attachments (0)

Change History (5)

comment:1 by anonymous, 19 years ago

Component:	general → report system
Owner:	changed from Jonas Borgström to daniel

comment:2 by Christian Boos, 18 years ago

Milestone:	→ 1.0
Priority:	normal → low
Severity:	normal → minor

comment:3 by Christian Boos, 15 years ago

Milestone:	1.0 → unscheduled

Milestone 1.0 deleted

comment:4 by Remy Blank, 14 years ago

Description:	modified (diff)
Milestone:	triaging → 0.13
Owner:	changed from daniel to Remy Blank

comment:5 by Remy Blank, 14 years ago

Milestone:	0.13
Resolution:	→ wontfix
Status:	new → closed

This issue is specific to LIKE-style operators, where wildcards can be used but should not necessarily be visible to the user.

While it would be possible to escape wildcards in the variable values automatically, doing so would require parsing enough of the SQL to find LIKE-style operators (REGEXP, GLOB, MATCH, …) and escaping each occurrence properly, which is tricky to get right cross-backend. Moreover, it would prevent writing reports where the user is supposed to be able to use wildcards.

So I suggest doing the escaping in the SQL itself (if desired), by using REPLACE() to escape the wildcards (example for SQLite):

SELECT id, summary, cc FROM ticket
WHERE cc LIKE '%' ||
              REPLACE(REPLACE(REPLACE($CC, '/', '//'), '_', '/_'), '%', '/%')
              || '%' ESCAPE '/'

Modify Ticket

Change Properties

Summary:
Description:	in report.py, in the function sql_sub_vars before substituting variables, the whole string should be format-string escaped * `'\'` should be replaced with `'\\'` * `'%'` should be replaced with `'%%'` this will make it possible to write things like: `field LIKE '%$PARAM%'` in reports. old tickets that relate to this subject: #1418 and #2536 and #2568 You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Remy Blank.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Remy Blank to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: