From: | Elliot S <yields(dot)falsehood(at)gmail(dot)com> |
---|---|
To: | Federico Di Gregorio <fog(at)dndg(dot)it>, psycopg(at)postgresql(dot)org |
Subject: | Re: Sanitize schema name |
Date: | 2015-05-20 12:28:49 |
Message-ID: | 555C7E01.3030401@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | psycopg |
Sounds good, thanks for the feedback. I should have time to work on this
today and tomorrow.
On 05/20/2015 04:14 AM, Federico Di Gregorio wrote:
> On 13/05/2015 16:13, Elliot S wrote:
>> I like this idea and drafted it up.
>>
>> Looking for comments on this patch:
>>
>> https://github.com/yieldsfalsehood/psycopg2/commit/f86f773de6ee99e2d7a2807136dcb458d97ba852
>>
>>
>> In short:
>> 1. identifier quoting may use PQescapeIdentifier if it's available,
>> otherwise the pure-psyco escaping is done
>> 2. the %t format is now accepted, and its value must be either a
>> string or bytes (no error handling is done yet if this isn't the case) -
>> replacement for this calls out to the identifier quoting
>
> The patch looks fine to me but your tests should cover all corner cases:
>
> 1) spaces in identifiers
> 2) double quotes in identifiers
> 3) a mix of upper- and lower-case characters
>
> I'd also like to see the tests compare the result with the result of a
> "SELECT quote_ident(...)" call, just to be future proof.
>
> Also, I'd expose the quoting function in psycopg.extensions to let the
> user build the query string separately from the .execute() call: this
> is useful if you want to stick to DBAPI in your .execute() call. I.e.,
> to allow something like:
>
> from psycopg.extensions import quote_ident
>
> query = "SELECT %s FROM %s WHERE id = %%s" % (
> quote_ident('table'), quote_ident('col'))
>
> curs.execute(query, (id_value,))
>
> federico
>
From | Date | Subject | |
---|---|---|---|
Next Message | Daniele Varrazzo | 2015-05-20 23:51:22 | Re: Sanitize schema name |
Previous Message | Federico Di Gregorio | 2015-05-20 08:14:57 | Re: Sanitize schema name |