[Sqlalchemy-tickets] Issue #3334: Wrong quoting in PostgreSQL query (zzzeek/sqlalchemy)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

New issue 3334: Wrong quoting in PostgreSQL query
https://bitbucket.org/zzzeek/sqlalchemy/issue/3334/wrong-quoting-in-postgresql-query

Leonardo Rossi:

I have a problem with sql quoting on this query:

```python
database_user = "test\"quo'te"
engine.execute("""SELECT 1 FROM pg_roles WHERE rolname='%s'""", database_user)
```

Traceback:

```
Traceback (most recent call last):
  File "/home/vagrant/.virtualenvs/invenio2/bin/inveniomanage", line 9, in <module>
    load_entry_point('invenio==2.1.0.dev20150305', 'console_scripts', 'inveniomanage')()
  File "/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/base/manage.py", line 103, in main
    manager.run()
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/flask_script/__init__.py", line 412, in run
    result = self.handle(sys.argv[0], sys.argv[1:])
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/flask_script/__init__.py", line 383, in handle
    res = handle(*args, **config)
  File "/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/ext/script/__init__.py", line 148, in __call__
    res = super(SignalingCommand, self).__call__(*args, **kwargs)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/flask_script/commands.py", line 216, in __call__
    return self.run(*args, **kwargs)
  File "/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/base/scripts/database.py", line 93, in init
    database_pass=current_app.config['CFG_DATABASE_PASS'],
  File "/home/vagrant/.virtualenvs/invenio2/src/invenio/invenio/ext/sqlalchemy/utils.py", line 387, in initialize_database_user
    database_user)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1751, in execute
    return connection.execute(statement, *multiparams, **params)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 721, in execute
    return self._execute_text(object, multiparams, params)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 870, in _execute_text
    statement, parameters
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 958, in _execute_context
    context)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 1159, in _handle_dbapi_exception
    exc_info
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/util/compat.py", line 199, in raise_from_cause
    reraise(type(exception), exception, tb=exc_tb)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/base.py", line 951, in _execute_context
    context)
  File "/home/vagrant/.virtualenvs/invenio2/local/lib/python2.7/site-packages/sqlalchemy/engine/default.py", line 436, in do_execute
    cursor.execute(statement, parameters)
sqlalchemy.exc.ProgrammingError: (ProgrammingError) syntax error at or near "test"
LINE 1: SELECT 1 FROM pg_roles WHERE rolname=''test"quo''te''
                                               ^
 "SELECT 1 FROM pg_roles WHERE rolname='%s'" (u'test"quo\'te',)
```