- Notifications
You must be signed in to change notification settings - Fork126
Escape single quotes with 2 backslashes#56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Changes fromall commits
File filter
Filter by extension
Conversations
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -144,9 +144,9 @@ def escape_string(self, item): | ||
| if isinstance(item, bytes): | ||
| item = item.decode("utf-8") | ||
| # This is good enough when backslashes are literal, newlines are just followed, and the way | ||
| # to escape a single quote is toprecede it with 2 backslashes. | ||
| # (i.e. only special character is single quote) | ||
| return "'{}'".format(item.replace("'", "\\'")) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. i know that per@susodapop this will be fixed elsewhere, but want to point out that the backslash character itself also needs to be escaped i think the correct replacement would be: | ||
| def escape_sequence(self, item): | ||
| l = map(str, map(self.escape_item, item)) | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -288,6 +288,20 @@ def test_get_columns(self): | ||
| for table in table_names: | ||
| cursor.execute('DROP TABLE IF EXISTS {}'.format(table)) | ||
| def test_escape_single_quotes(self): | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. this is great, probably want the same type of test for a string with a backslash in it, as in test_str="Many Linux users are upset that Windows uses\\ to separate path elements" | ||
| with self.cursor({}) as cursor: | ||
| table_name = 'table_{uuid}'.format(uuid=str(uuid4()).replace('-', '_')) | ||
| # Test escape syntax directly | ||
| cursor.execute("CREATE TABLE IF NOT EXISTS {} AS (SELECT 'you\\'re' AS col_1)".format(table_name)) | ||
Contributor There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others.Learn more. Just a note: this e2e test is really testing how DBSQL behaves rather than our connector. The connector escape behaviour is only called to escape parameters passed to the Connection.execute() method. This is a good test for demonstrating how to work with DBSQL. But the dynamic is not unique to | ||
| cursor.execute("SELECT * FROM {} WHERE col_1 LIKE 'you\\'re'".format(table_name)) | ||
| rows = cursor.fetchall() | ||
| assert rows[0]["col_1"] == "you're" | ||
| # Test escape syntax in parameter | ||
| cursor.execute("SELECT * FROM {} WHERE {}.col_1 LIKE %(var)s".format(table_name, table_name), parameters={"var": "you're"}) | ||
| rows = cursor.fetchall() | ||
| assert rows[0]["col_1"] == "you're" | ||
| def test_get_schemas(self): | ||
| with self.cursor({}) as cursor: | ||
| database_name = 'db_{uuid}'.format(uuid=str(uuid4()).replace('-', '_')) | ||