P4DTI issue job000031

TitleQueries to TeamTrack database may fail because of unescaped quotes in SQL
Assigned userGareth Rees
DescriptionQueries to TeamTrack database may fail because of unescaped quotes in SQL.
AnalysisLots of SQL queries are constructed by Python code like "TS_P4DTI_JOBNAME='%s'" % job['Job']. This will fail if the jobname has a single quote in it, because then the SQL query has a syntax error in it.
Strings must be escaped before being incorporated into queries if there's a possibility that they may have quotes in them.
How foundinspection
EvidenceNone as yet.
Created byGareth Rees
Created on2000-10-19 18:09:07
Last modified byGareth Rees
Last modified on2001-12-10 18:58:25
History2000-10-19 GDR Created
2000-11-21 RB Downgraded to essential. Needs more analysis to tell whether it's actually important, but might just be easier to add the appropriate escapes everywhere.
2000-11-30 GDR Closed. In fact there was only one place where escapes were needed. All other queries were safe. I implemented ANSI SQL string escaping and tested it in Microsoft Access.


Change Effect Date User Description
5191 closed 2000-11-30 17:53:01 Gareth Rees The dt_teamtrack module escapes strings before putting them in SQL statements.