From 0cf8a2cab6aa027efe695265c5a14c529e96f279 Mon Sep 17 00:00:00 2001
From: joetsoi <joe.yeung.tsoi@gmail.com>
Date: Mon, 16 Dec 2013 15:12:10 +0000
Subject: [PATCH] [#1374] datastore:use bind params instead of string
 formatting

---
 ckanext/datastore/plugin.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/ckanext/datastore/plugin.py b/ckanext/datastore/plugin.py
index d5a02cb6cf5..ad2cfdb22f0 100644
--- a/ckanext/datastore/plugin.py
+++ b/ckanext/datastore/plugin.py
@@ -180,10 +180,9 @@ def _read_connection_has_correct_privileges(self):
         try:
             write_connection.execute(u'CREATE TEMP TABLE _foo ()')
             for privilege in ['INSERT', 'UPDATE', 'DELETE']:
-                test_privilege_sql = u"SELECT has_table_privilege('{user}', '_foo', '{privilege}')"
-                sql = test_privilege_sql.format(user=read_connection_user,
-                                                privilege=privilege)
-                have_privilege = write_connection.execute(sql).first()[0]
+                test_privilege_sql = u"SELECT has_table_privilege(%s, '_foo', %s)"
+                have_privilege = write_connection.execute(
+                    test_privilege_sql, (read_connection_user, privilege)).first()[0]
                 if have_privilege:
                     return False
         finally: