Re: Possible bug - Incorrect escaping in Django SQL query

On Thu, Jun 01, 2017 at 02:29:17AM -0700, Roshan Raghupathy wrote:
> Hi,
> I came across an issue yesterday. Post on stackoverflow
> <https://stackoverflow.com/questions/44287443/incorrect-escaping-in-django-sql-query>
>
> On further investigation today, I think I found the source of the issue.
> It's this line
> <https://github.com/django/django/blob/master/django/db/models/functions/datetime.py#L149>.
> The parameters which are escaped here are never reverted back to the
> original form.
> I tested a dirty fix by converting all '%%s' to '%s' and the query worked.
> Should I submit a bug? Has it been submitted already?

Hi Roshan,

I just took a quick look, and it seems you are right – in all of the
official backend implementations, the *_trunc_sql only use the second
argument in the right-hand side of string formatting, so this
double-percent escaping appears to be wrong there.

I did a quick search through the issue tracker, and didn't find
anything about this issue, would you mind submitting a new bug report?
It would be best if you could include a complete minimal example that
we could easily run to reproduce the problem.

Thanks,

Michal

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at https://groups.google.com/group/django-users.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/20170602091343.GR23772%40koniiiik.org.
For more options, visit https://groups.google.com/d/optout.