On 31 October 2012 20:23, Shai Berger <[email protected]> wrote: > This, almost worthy of being called an sql injection, can't be the right way > to achieve the goal. In fact, the Oracle backend (or even some higher, more > generic level) should have doubled those '"' characters to make them part of > the name. But -- save length issues -- the ploy succeeds:
It seems none of the backends implement any form of quote escaping in their quote_name() methods. But is it actually possible to have a table in Oracle with a name containing a double quote? -- Łukasz Rekucki -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
