Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Database.execute duplicating percentage sign #325
I'm using mysql. Here is an example of a query:
Thanks for reporting, I was able to reproduce the bug.
The problem happens when the query (1) contains % sign inside a literal value and (2) does not have any $parameter.
We will fix it in next release. But it is not a good practice to put values inside SQL query text, because it can lead to SQL injection. I recommend you to rewrite a query using query parameters:
vals = [ ('Marshalls_20180109_4_22.00/10.5%', 'B01FI911QO', '', 2, 1), ('4B-DAJQ-OM2O', 'B00JBF45W4', 'Capri Designs- Daily Journal - Hedgehog (Design by Sarah Watts) (Owl)', 2, 1), ('4C-YWG4-HK9L', 'B00JBGIZLK', 'Capri Designs- Perpetual Wall Calendar - Hedgehog (Design by Sarah Watts)', 2, 1) ] sql = """ INSERT INTO product (`sku`,`asin`,`title`,`user`,`marketplace`) VALUES ($vals, $vals, $vals, $vals, $vals), ($vals, $vals, $vals, $vals, $vals), ($vals, $vals, $vals, $vals, $vals), ON DUPLICATE KEY UPDATE product.`sku` = VALUES(product.`sku`), product.`asin` = VALUES(product.`asin`), product.`title` = VALUES(product.`title`), product.`user` = VALUES(product.`user`), product.`marketplace` = VALUES(product.`marketplace`); """ db.execute(sql)
Thanks for the fix.
I know it's best to use the query parameters. However I'm building the query from a list of dictionaries where the key is the field and the value is the value. All of the dictionaries will have the same fields. Initially I wasn't able to think of a way to use query parameters since the length would be dynamic. But I'll give it another shot.
Currently, I'm escaping the values that are inserted into the sql query to prevent sql injection.
@kozlovsky I've been using this commit 2908838, which fixes this bug. However, I'm seeing the same issue with dollar signs. When I install the 0.7.3 release, I don't see the issue with duplicated dollar signs, but I see this issue with the duplicated percentage signs.
This is an issue that's corrupting our product data. Any ideas on how I can get both dollar signs and percentage signs escaping correctly?
added a commit
May 4, 2018
Thanks for reporting, it should be fixed now. I added some tests as well. The issue with dollars is slightly different then the issue with duplicated percentage signs: when using
sql = sql.replace('$', '$$') db.execute(sql)