On Thu, Jul 16, 2009 at 4:04 PM, sebastien requiem <sebast...@requiem.fr>wrote:
> Hi guys, > > > my problem may be python only related but I dare posting here anyway. > > I try to create databases on the fly according to some user input. > After searching on the net, I realized that I can't use the following > statement > as %s will be replaced by '%s'. And "CREATE DATABASE" statement > forbids using quotes... > > > So I decided to use python's sweet % concatenation to solve my problem > (even > though this could lead me to sql injection...) > > > Here is my model : > > > > class myClass(models.Model): > db_name = models.CharField('company name', unique='true', > max_length = 50) > > def createAssociatedDatabase(self): > """ > Create the User Database > """ > cursor = connection.cursor() > cursor.execute("CREATE DATABASE %s" % self.db_name) > Should read : def createAssociatedDatabase(self): """ Create the User Database """ cursor = connection.cursor() cursor.execute("CREATE DATABASE user_%s" % self.db_name) > > > > when I then use my method, I got the following error : > > >>> c.createAssociatedDatabase() > > Traceback (most recent call last): > File "<console>", line 1, in <module> > [...] admin/models.py", line 41, in createAssociatedDatabase > cursor.execute("CREATE DATABASE user_%s" *%* (self.db_name)) > File "/var/lib/python-support/python2.6/django/db/backends/util.py", line > 19, in execute > return self.cursor.execute(sql, params) > File > "/var/lib/python-support/python2.6/django/db/backends/mysql/base.py", line > 83, in execute > return self.cursor.execute(query, args) > File "/var/lib/python-support/python2.6/MySQLdb/cursors.py", line 166, in > execute > self.errorhandler(self, exc, value) > File "/var/lib/python-support/python2.6/MySQLdb/connections.py", line 35, > in defaulterrorhandler > raise errorclass, errorvalue > ProgrammingError: (1064, "You have an error in your SQL syntax; check the > manual that corresponds to your MySQL server version for the right syntax to > use near ''test'' at line 1") > > > But ... > > > In a shell : > >>> c = myClass() > >>> c.db_name = "test" > >>> cursor.execute("CREATE DATABASE user_%s" % (c.db_name)) > 1L > > > Which is GOOD > > > > This means that the Quoting is done in my method and not when I use the > execute myself ... > > > any idea ? > > > thank you very much ! > > -- > sebastien requiem > -- sebastien requiem --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---