On Thu, Jul 16, 2009 at 4:04 PM, sebastien requiem <sebast...@requiem.fr>wrote:

> Hi guys,
>
>
> my problem may be python only related but I dare posting here anyway.
>
> I try to create databases on the fly according to some user input.
> After searching on the net, I realized that I can't use the following
> statement
> as %s will be replaced by '%s'. And "CREATE DATABASE" statement
> forbids using quotes...
>
>
> So I decided to use python's sweet % concatenation to solve my problem
> (even
> though this could lead me to sql injection...)
>
>
> Here is my model :
>
>
>
> class myClass(models.Model):
>         db_name = models.CharField('company name', unique='true',
> max_length = 50)
>
>         def createAssociatedDatabase(self):
>                 """
>                 Create the User Database
>                 """
>                 cursor = connection.cursor()
>                 cursor.execute("CREATE DATABASE %s" % self.db_name)
>


Should read :

        def createAssociatedDatabase(self):
                """
                Create the User Database
                """
                cursor = connection.cursor()
                cursor.execute("CREATE DATABASE user_%s" % self.db_name)




>
>
>
> when I then use my method, I got the following error :
>
> >>> c.createAssociatedDatabase()
>
> Traceback (most recent call last):
>   File "<console>", line 1, in <module>
>   [...] admin/models.py", line 41, in createAssociatedDatabase
>     cursor.execute("CREATE DATABASE user_%s" *%* (self.db_name))
>   File "/var/lib/python-support/python2.6/django/db/backends/util.py", line
> 19, in execute
>     return self.cursor.execute(sql, params)
>   File
> "/var/lib/python-support/python2.6/django/db/backends/mysql/base.py", line
> 83, in execute
>     return self.cursor.execute(query, args)
>   File "/var/lib/python-support/python2.6/MySQLdb/cursors.py", line 166, in
> execute
>     self.errorhandler(self, exc, value)
>   File "/var/lib/python-support/python2.6/MySQLdb/connections.py", line 35,
> in defaulterrorhandler
>     raise errorclass, errorvalue
> ProgrammingError: (1064, "You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right syntax to
> use near ''test'' at line 1")
>
>
> But ...
>
>
> In a shell :
> >>> c = myClass()
> >>> c.db_name = "test"
> >>> cursor.execute("CREATE DATABASE user_%s" % (c.db_name))
> 1L
>
>
> Which is GOOD
>
>
>
> This means that the Quoting is done in my method and not when I use the
> execute myself ...
>
>
> any idea ?
>
>
> thank you very much !
>
> --
> sebastien requiem
>



-- 
sebastien requiem

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to 
django-users+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to