-
Notifications
You must be signed in to change notification settings - Fork 535
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no such function: MONTH #10
Comments
Thanks for your feedback. Currently the CMDB module works only on the MySQL backend, as described in http://ralph.allegrogroup.com/doc/cmdb.html#installation. We're planning to enable this feature for SQLite and PostgreSQL in a later version. Patches welcome :) |
There is a raw SQL query in this file. i don't know how it managed to pass the code review, however, if you stick to standard django querysetting, you're good to go. therefore, instead of: MONTH(ch.time)=%s use from ralph.cmdb.models import CI then query for the data: now = datetime.now() and agregate ( https://docs.djangoproject.com/en/dev/topics/db/aggregation/ ) unless you validate the type / kwargs['type'] argument which is defined as \w+ in urls.py, this query is vunerable for SQL injection. |
The raw query is not pretty, and we will eventually replace it with something more integrated with the ORM (it's a little bit trickier than it looks), but you are mistaken about it being vulnerable to SQL injection, as |
indeed, i was mistaken by %s in the query and i automatically assumed there was % [params] somwhere further. i noticed that you also use sqlalchemy, so even if django itself doesn't cut it for you, you can use sqlalchemy wrapper for django's models and do model.sa.query() and so on. |
We will certainly get to that and come up with a solution that works on all supported database backends. |
I'm closing this issue - there was no activity here for long enough and AFAIK, we are not going for db backends other than MySQL in the nearest future. |
DatabaseError at /cmdb/changes/dashboard
Environment:
Request Method: GET
Request URL: http://10.13.37.21:8000/cmdb/changes/dashboard
Django Version: 1.4
Python Version: 2.7.3
Installed Applications:
[u'django.contrib.auth',
u'django.contrib.contenttypes',
u'django.contrib.sessions',
u'django.contrib.sites',
u'django.contrib.messages',
u'django.contrib.staticfiles',
u'django.contrib.admin',
u'djcelery',
u'south',
u'lck.django.common',
u'lck.django.activitylog',
u'lck.django.profile',
u'lck.django.score',
u'lck.django.tags',
u'gunicorn',
u'fugue_icons',
u'bob',
u'tastypie',
u'ralph.account',
u'ralph.business',
u'ralph.cmdb',
u'ralph.discovery',
u'ralph.integration',
u'ralph.ui',
u'ralph.dnsedit',
u'ralph.util',
u'ajax_select',
u'powerdns']
Installed Middleware:
(u'django.middleware.gzip.GZipMiddleware',
u'django.middleware.common.CommonMiddleware',
u'django.contrib.sessions.middleware.SessionMiddleware',
u'lck.django.common.middleware.TimingMiddleware',
u'django.middleware.locale.LocaleMiddleware',
u'django.middleware.csrf.CsrfViewMiddleware',
u'django.contrib.auth.middleware.AuthenticationMiddleware',
u'django.contrib.messages.middleware.MessageMiddleware',
u'lck.django.activitylog.middleware.ActivityMiddleware',
u'lck.django.common.middleware.ForceLanguageCodeMiddleware')
Traceback:
File "/home/ralph/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
Exception Type: DatabaseError at /cmdb/changes/dashboard
Exception Value: no such function: MONTH
The text was updated successfully, but these errors were encountered: