Context Navigation

Modify ↓

#7988 closed defect (worksforme)

Problems with sql_escape_percent function

Reported by:	Zeratul	Owned by:
Priority:	normal	Milestone:
Component:	general	Version:	0.11-stable
Severity:	minor	Keywords:	sql sql_escape_percent cursor.execute
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christian Boos)

Function sql_escape_percent(sql) from module trac/db/util.py is escaping quite too many characters. It's automatically used when executing sql statements with cursor.execute() and it replaces every '%' (percent sign) with '%%'. But '%' is sql special sign used in 'like' clauses - for example:

"SELECT oldvalue FROM ticket_change WHERE filed = 'comment' AND 
oldvalue LIKE '%.comment_number OR oldvalue = comment_number"

which may be useful for getting comment from database by comment_number. When above statement is executed via

cursor.execute("SELECT oldvalue FROM ticket_change WHERE filed =
 'comment' AND oldvalue LIKE '%.comment_number OR oldvalue = 
 comment_number")

the percent sign is doubled so the really executed query is:

"SELECT oldvalue FROM ticket_change WHERE filed = 'comment' AND 
oldvalue LIKE '%%.comment_number OR oldvalue = comment_number"

which theoretically gives the same results but is somehow strange…

Attachments (0)

Change History (2)

comment:1 by ebray, 15 years ago

Resolution:	→ worksforme
Status:	new → closed

That's what db.like() and db.like_escape() are for (besides that fact of different DBMS having subtle differences in LIKE). For example:

cursor.execute("SELECT name, author FROM wiki "
               "WHERE name " + db.like() +
               "GROUP BY name ORDER BY name, version",
               (db.like_escape(prefix) + '%',))

comment:2 by Christian Boos, 15 years ago

Description:	modified (diff)

made description readable

Modify Ticket

Change Properties

Summary:
Description:	Function `sql_escape_percent(sql)` from module trac/db/util.py is escaping quite too many characters. It's automatically used when executing sql statements with `cursor.execute()` and it replaces every '%' (percent sign) with '%%'. But '%' is sql special sign used in 'like' clauses - for example: {{{ "SELECT oldvalue FROM ticket_change WHERE filed = 'comment' AND oldvalue LIKE '%.comment_number OR oldvalue = comment_number" }}} which may be useful for getting comment from database by comment_number. When above statement is executed via {{{ cursor.execute("SELECT oldvalue FROM ticket_change WHERE filed = 'comment' AND oldvalue LIKE '%.comment_number OR oldvalue = comment_number") }}} the percent sign is doubled so the really executed query is: {{{ "SELECT oldvalue FROM ticket_change WHERE filed = 'comment' AND oldvalue LIKE '%%.comment_number OR oldvalue = comment_number" }}} which theoretically gives the same results but is somehow strange... You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The ticket will remain with no owner.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from (none) to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: