#227 Escaping Single Quotes in Postgres

closed-fixed
Postgres (36)
5
2007-08-16
2007-08-16
fuchsd
No

Using Postgres 8.3, SQLObject-0-8.1, and psycopg2 2.0.5.1, the following code breaks:

from sqlobject import *

sqlhub.processConnection = connectionForURI('<some postgres DSN>')
class Foo(SQLObject):
entry = StringCol()

Foo.createTable()
f = Foo(entry="Here's an entry")

With this error:
psycopg2.ProgrammingError: syntax error at or near "s"
LINE 1: INSERT INTO bar (id, entry) VALUES (1, 'Here\'s an entry')

Our Postgres server does not allow using a backslash to escape single quotes (this could potentially allow a SQL injection attack: http://www.postgresql.org/docs/8.2/static/runtime-config-compatible.html\),
it only allows using another single quote (I'm not sure if we configured it to now allow escaping single quotes with backslashes, or if Postgres defaults to this behavior after a certain version).

This escaping is being done in StringLIkeConverter method at line 104 in converters.py .

Discussion

  • fuchsd

    fuchsd - 2007-08-16
    • summary: Escaping Single Quotes --> Escaping Single Quotes in Postgres
     
  • Oleg Broytman

    Oleg Broytman - 2007-08-16
    • assigned_to: nobody --> phd
    • status: open --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks