[Django] #31589: Raw queries do not work if any DB content column has the % symbol

3 views
Skip to first unread message

Django

unread,
May 14, 2020, 1:39:19 PM5/14/20
to django-...@googlegroups.com
#31589: Raw queries do not work if any DB content column has the % symbol
-------------------------------------+-------------------------------------
Reporter: jotauses | Owner: nobody
Type: Bug | Status: new
Component: Database | Version: 3.0
layer (models, ORM) |
Severity: Normal | Keywords: raw query
Triage Stage: | Has patch: 0
Unreviewed |
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-------------------------------------+-------------------------------------
**Only fails if any DB content column has the % symbol**.

{{{
query_postgresql = """SELECT *, similarity(titulo, '{0}') AS similarity
FROM pdc_pdc ORDER BY similarity DESC;"""

pdc = Pdc.objects.raw(query_postgresql.format(titulo_infocor))
}}}

Column "titulo" content = "This is a test 80%".


Traceback:

{{{
File "C:\Users\-----\AppData\Local\Programs\Python\Python38-32\lib\site-
packages\django\db\backends\utils.py", line 86, in _execute
return self.cursor.execute(sql, params)
IndexError: tuple index out of range
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/31589>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
May 14, 2020, 2:57:18 PM5/14/20
to django-...@googlegroups.com
#31589: Raw queries do not work if any DB content column has the % symbol.

-------------------------------------+-------------------------------------
Reporter: jotauses | Owner: nobody
Type: Bug | Status: closed
Component: Database layer | Version: 3.0
(models, ORM) |
Severity: Normal | Resolution: invalid

Keywords: raw query | Triage Stage:
| Unreviewed
Has patch: 0 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by felixxm):

* status: new => closed
* resolution: => invalid


Comment:

My understanding is that you passed `titulo_infocor = "This is a test
80%"`, this is not supported and moreover you’re at risk for SQL
injection. Please check
[https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-
into-raw Passing parameters into raw()] or use one of
[https://code.djangoproject.com/wiki/TicketClosingReasons/UseSupportChannels
support channels] if you have further questions.

--
Ticket URL: <https://code.djangoproject.com/ticket/31589#comment:1>

Reply all
Reply to author
Forward
0 new messages