On Thu, Jul 16, 2009 at 4:04 PM, sebastien requiem <sebast...@requiem.fr>wrote:
> Hi guys,
>
>
> my problem may be python only related but I dare posting here anyway.
>
> I try to create databases on the fly according to some user input.
> After searching on the net, I realized that I can't use the following
> statement
> as %s will be replaced by '%s'. And "CREATE DATABASE" statement
> forbids using quotes...
>
>
> So I decided to use python's sweet % concatenation to solve my problem
> (even
> though this could lead me to sql injection...)
>
>
> Here is my model :
>
>
>
> class myClass(models.Model):
> db_name = models.CharField('company name', unique='true',
> max_length = 50)
>
> def createAssociatedDatabase(self):
> """
> Create the User Database
> """
> cursor = connection.cursor()
> cursor.execute("CREATE DATABASE %s" % self.db_name)
>
Should read :
def createAssociatedDatabase(self):
"""
Create the User Database
"""
cursor = connection.cursor()
cursor.execute("CREATE DATABASE user_%s" % self.db_name)
>
>
>
> when I then use my method, I got the following error :
>
> >>> c.createAssociatedDatabase()
>
> Traceback (most recent call last):
> File "<console>", line 1, in <module>
> [...] admin/models.py", line 41, in createAssociatedDatabase
> cursor.execute("CREATE DATABASE user_%s" *%* (self.db_name))
> File "/var/lib/python-support/python2.6/django/db/backends/util.py", line
> 19, in execute
> return self.cursor.execute(sql, params)
> File
> "/var/lib/python-support/python2.6/django/db/backends/mysql/base.py", line
> 83, in execute
> return self.cursor.execute(query, args)
> File "/var/lib/python-support/python2.6/MySQLdb/cursors.py", line 166, in
> execute
> self.errorhandler(self, exc, value)
> File "/var/lib/python-support/python2.6/MySQLdb/connections.py", line 35,
> in defaulterrorhandler
> raise errorclass, errorvalue
> ProgrammingError: (1064, "You have an error in your SQL syntax; check the
> manual that corresponds to your MySQL server version for the right syntax to
> use near ''test'' at line 1")
>
>
> But ...
>
>
> In a shell :
> >>> c = myClass()
> >>> c.db_name = "test"
> >>> cursor.execute("CREATE DATABASE user_%s" % (c.db_name))
> 1L
>
>
> Which is GOOD
>
>
>
> This means that the Quoting is done in my method and not when I use the
> execute myself ...
>
>
> any idea ?
>
>
> thank you very much !
>
> --
> sebastien requiem
>
--
sebastien requiem
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
