GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
Already on GitHub? Sign in to your account
Fix for issues #16, #17, #18 and #24. Or so it seems to me, anyway.
Added debug statements and fix for 0.12.3 bug
Updated all sql statements to new way of binding to variables.
Added debug statements
Changed the way ids are converted from numbers to strings.
Added the fix to the validation as well.
Added the fix to the some more of the api methods.
You don't want to use string formatting to pass arguments to execute, as the values won't be escaped, and you introduce a vulnerability. For more info, see: http://trac.edgewall.org/wiki/TracDev/DatabaseApi#RulesforDBAPIUsage
Previous experience has demonstrated that the literal here needs to be single-quoted: WHERE name='%s', and avoid string formatting as described in the next comment.
cursor.execute("SELECT value FROM system WHERE name='%s'",
I can't say that wrapping the argument in a list will cause a problem, but the more idiomatic Trac thing to do is pass a tuple:
cursor.execute("DELETE FROM subtickets WHERE child=%s", (ticket.id, ))
Casting to str should not be done since the data is stored as int, IIIC.