Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#227 Escaping Single Quotes in Postgres

closed-fixed
Oleg Broytman
Postgres (36)
5
2007-08-16
2007-08-16
fuchsd
No

Using Postgres 8.3, SQLObject-0-8.1, and psycopg2 2.0.5.1, the following code breaks:

from sqlobject import *

sqlhub.processConnection = connectionForURI('<some postgres DSN>')
class Foo(SQLObject):
entry = StringCol()

Foo.createTable()
f = Foo(entry="Here's an entry")

With this error:
psycopg2.ProgrammingError: syntax error at or near "s"
LINE 1: INSERT INTO bar (id, entry) VALUES (1, 'Here\'s an entry')

Our Postgres server does not allow using a backslash to escape single quotes (this could potentially allow a SQL injection attack: http://www.postgresql.org/docs/8.2/static/runtime-config-compatible.html\),
it only allows using another single quote (I'm not sure if we configured it to now allow escaping single quotes with backslashes, or if Postgres defaults to this behavior after a certain version).

This escaping is being done in StringLIkeConverter method at line 104 in converters.py .

Discussion

  • fuchsd
    fuchsd
    2007-08-16

    • summary: Escaping Single Quotes --> Escaping Single Quotes in Postgres
     
  • Oleg Broytman
    Oleg Broytman
    2007-08-16

    • assigned_to: nobody --> phd
    • status: open --> closed-fixed