From 13d4caea7d2edf8c9e809c2a370c03954dca850e Mon Sep 17 00:00:00 2001 From: Dominik Moritz Date: Thu, 25 Apr 2013 16:30:43 +0200 Subject: [PATCH] [#825] Replace % with %% to escape it in sql statements --- ckanext/datastore/db.py | 2 +- ckanext/datastore/tests/test_search.py | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/ckanext/datastore/db.py b/ckanext/datastore/db.py index 3a33d451220..ec29322f378 100644 --- a/ckanext/datastore/db.py +++ b/ckanext/datastore/db.py @@ -1108,7 +1108,7 @@ def search_sql(context, data_dict): context['connection'].execute( u'SET LOCAL statement_timeout TO {0}'.format(timeout)) results = context['connection'].execute( - data_dict['sql'] + data_dict['sql'].replace('%', '%%') ) return format_results(context, results, data_dict) diff --git a/ckanext/datastore/tests/test_search.py b/ckanext/datastore/tests/test_search.py index 85ad9727cca..c4b58013112 100644 --- a/ckanext/datastore/tests/test_search.py +++ b/ckanext/datastore/tests/test_search.py @@ -513,6 +513,18 @@ def test_select_basic(self): assert result['records'] == res_dict_alias['result']['records'] + def test_select_where_like_with_percent(self): + query = 'SELECT * FROM public."{0}" WHERE "author" LIKE \'tol%\''.format(self.data['resource_id']) + data = {'sql': query} + postparams = json.dumps(data) + auth = {'Authorization': str(self.sysadmin_user.apikey)} + res = self.app.post('/api/action/datastore_search_sql', params=postparams, + extra_environ=auth) + res_dict = json.loads(res.body) + assert res_dict['success'] is True + result = res_dict['result'] + assert result['records'] == self.expected_records + def test_self_join(self): query = ''' select a._id as first, b._id as second