This project is archived. Its data is read-only. This project is read-only.

Commit f0a7470e authored Feb 08, 2009 by Russell Keith-Magee

Fixed #10160 -- Modified evaluation of F() expressions to protect against...

Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37

parent d4a3a4b0

django/db/models/sql/expressions.py

+1 −4

Original line number	Diff line number	Diff line
		@@ -64,10 +64,7 @@ class SQLEvaluator(object):
		if hasattr(child, 'evaluate'):
		sql, params = child.evaluate(self, qn)
		else:
		try:
		sql, params = qn(child), ()
		except:
		sql, params = str(child), ()
		sql, params = '%s', (child,)

		if hasattr(child, 'children') > 1:
		format = '(%s)'

django/db/models/sql/where.py

+3 −3

Original line number	Diff line number	Diff line
		@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
		extra = ''

		if lookup_type in connection.operators:
		format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
		extra)
		format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
		return (format % (field_sql,
		connection.operators[lookup_type] % cast_sql), params)
		connection.operators[lookup_type] % cast_sql,
		extra), params)

		if lookup_type == 'in':
		if not value_annot: