Re: Sanitize schema name

On 13/05/2015 16:13, Elliot S wrote:
> I like this idea and drafted it up.
>
> Looking for comments on this patch:
>
> https://github.com/yieldsfalsehood/psycopg2/commit/f86f773de6ee99e2d7a2807136dcb458d97ba852
>
> In short:
> 1. identifier quoting may use PQescapeIdentifier if it's available,
> otherwise the pure-psyco escaping is done
> 2. the %t format is now accepted, and its value must be either a
> string or bytes (no error handling is done yet if this isn't the case) -
> replacement for this calls out to the identifier quoting

The patch looks fine to me but your tests should cover all corner cases:

1) spaces in identifiers
2) double quotes in identifiers
3) a mix of upper- and lower-case characters

I'd also like to see the tests compare the result with the result of a
"SELECT quote_ident(...)" call, just to be future proof.

Also, I'd expose the quoting function in psycopg.extensions to let the
user build the query string separately from the .execute() call: this is
useful if you want to stick to DBAPI in your .execute() call. I.e., to
allow something like:

from psycopg.extensions import quote_ident

query = "SELECT %s FROM %s WHERE id = %%s" % (
quote_ident('table'), quote_ident('col'))

curs.execute(query, (id_value,))

federico

--
Federico Di Gregorio federico(dot)digregorio(at)dndg(dot)it
Di Nunzio & Di Gregorio srl http://dndg.it
One key. One input. One enter. All right. -- An american consultant
(then the system crashed and took down the *entire* network)