|Title||Queries to TeamTrack database may fail because of unescaped quotes in SQL|
|Assigned user||Gareth Rees|
|Description||Queries to TeamTrack database may fail because of unescaped quotes in SQL.|
|Analysis||Lots of SQL queries are constructed by Python code like "TS_P4DTI_JOBNAME='%s'" % job['Job']. This will fail if the jobname has a single quote in it, because then the SQL query has a syntax error in it.|
Strings must be escaped before being incorporated into queries if there's a possibility that they may have quotes in them.
|Evidence||None as yet.|
|Created by||Gareth Rees|
|Created on||2000-10-19 18:09:07|
|Last modified by||Gareth Rees|
|Last modified on||2001-12-10 18:58:25|
|History||2000-10-19 GDR Created|
2000-11-21 RB Downgraded to essential. Needs more analysis to tell whether it's actually important, but might just be easier to add the appropriate escapes everywhere.
2000-11-30 GDR Closed. In fact there was only one place where escapes were needed. All other queries were safe. I implemented ANSI SQL string escaping and tested it in Microsoft Access.
|5191||closed||2000-11-30 17:53:01||Gareth Rees||The dt_teamtrack module escapes strings before putting them in SQL statements.|