[Mpuls-commits] r3962 - in base/trunk: . mpulsweb/lib

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Mon Oct 11 16:29:30 CEST 2010 

Author: bh
Date: 2010-10-11 16:29:29 +0200 (Mon, 11 Oct 2010)
New Revision: 3962

Modified:
   base/trunk/ChangeLog
   base/trunk/mpulsweb/lib/db.py
Log:
* mpulsweb/lib/db.py (quote_connect_parameter): New.  Quote
psycopg2.connect parameters properly
(DB.__init__): Do not quote parameters here.
(DB.getConnection): Quote all string parameters for
psycopg2.connect using quote_connect_parameter.


Modified: base/trunk/ChangeLog
===================================================================
--- base/trunk/ChangeLog	2010-10-11 13:38:22 UTC (rev 3961)
+++ base/trunk/ChangeLog	2010-10-11 14:29:29 UTC (rev 3962)
@@ -1,5 +1,13 @@
 2010-10-11  Bernhard Herzog  <bh at intevation.de>
 
+	* mpulsweb/lib/db.py (quote_connect_parameter): New.  Quote
+	psycopg2.connect parameters properly
+	(DB.__init__): Do not quote parameters here.
+	(DB.getConnection): Quote all string parameters for
+	psycopg2.connect using quote_connect_parameter.
+
+2010-10-11  Bernhard Herzog  <bh at intevation.de>
+
 	* mpulsweb/model/news.py (NewsList.__init__): Make sure the local
 	variables conn and cur are set in case connecting to the database
 	fails for some reason.

Modified: base/trunk/mpulsweb/lib/db.py
===================================================================
--- base/trunk/mpulsweb/lib/db.py	2010-10-11 13:38:22 UTC (rev 3961)
+++ base/trunk/mpulsweb/lib/db.py	2010-10-11 14:29:29 UTC (rev 3962)
@@ -57,13 +57,17 @@
 def leave(dbObject=None):
     db._pop_object(dbObject)
 
+def quote_connect_parameter(s):
+    """Return a quoted version of the string s for with psycopg2.connect."""
+    return "'" + s.replace("\\", "\\\\").replace("'", "\\'") + "'"
 
+
 class DB:
 
     def __init__(self, database, user, password, host='localhost', port=5432):
         self.database = database
         self.user = user
-        self.password = password.replace("\\", "\\\\")
+        self.password = password
         self.host = host
         self.port = int(port)
         self.conn = None
@@ -75,9 +79,17 @@
                 used[0] = True
                 return used[1]
 
-        con = dbapi.connect(database=self.database,
-                            host=self.host, port=self.port,
-                            user=self.user, password=self.password)
+        # quote all string values for the connect function to make sure
+        # spaces, single quotes and backslashes don't lead to problems.
+        # This is particularly important for passwords.  The port is an
+        # int and os does not need to be quoted.  It seems to be a bug
+        # in psycopg2 that it doesn't this kind of quoting automatically
+        # when passing the connectin parameters as keyword arguments.
+        con = dbapi.connect(database=quote_connect_parameter(self.database),
+                            host=quote_connect_parameter(self.host),
+                            port=self.port,
+                            user=quote_connect_parameter(self.user),
+                            password=quote_connect_parameter(self.password))
         used = [True, con]
         self.connections.append(used)
         return con

More information about the Mpuls-commits mailing list