From 125b3d440761efca8fa808a4b815384ece847d6a Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Tue, 20 May 2014 15:41:01 +0100 Subject: [PATCH] Fixed #22649: Beefed up quote_value --- django/db/backends/mysql/schema.py | 11 +++-------- django/db/backends/oracle/schema.py | 5 ++++- django/db/backends/sqlite3/schema.py | 2 +- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/django/db/backends/mysql/schema.py b/django/db/backends/mysql/schema.py index df5f3b7fcd..4efe008f42 100644 --- a/django/db/backends/mysql/schema.py +++ b/django/db/backends/mysql/schema.py @@ -30,11 +30,7 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): def quote_value(self, value): # Inner import to allow module to fail to load gracefully import MySQLdb.converters - - if isinstance(value, six.string_types): - return '"%s"' % six.text_type(value) - else: - return MySQLdb.escape(value, MySQLdb.converters.conversions) + return MySQLdb.escape(value, MySQLdb.converters.conversions) def skip_default(self, field): """ @@ -49,8 +45,7 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): # Simulate the effect of a one-off default. if self.skip_default(field) and field.default not in {None, NOT_PROVIDED}: effective_default = self.effective_default(field) - self.execute('UPDATE %(table)s SET %(column)s=%(default)s' % { + self.execute('UPDATE %(table)s SET %(column)s = %%s' % { 'table': self.quote_name(model._meta.db_table), 'column': self.quote_name(field.column), - 'default': self.quote_value(effective_default), - }) + }, [effective_default]) diff --git a/django/db/backends/oracle/schema.py b/django/db/backends/oracle/schema.py index 447c0a231f..7843b96943 100644 --- a/django/db/backends/oracle/schema.py +++ b/django/db/backends/oracle/schema.py @@ -1,5 +1,6 @@ import copy import datetime +import binascii from django.utils import six from django.db.backends.schema import BaseDatabaseSchemaEditor @@ -21,7 +22,9 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): if isinstance(value, (datetime.date, datetime.time, datetime.datetime)): return "'%s'" % value elif isinstance(value, six.string_types): - return repr(value) + return "'%s'" % six.text_type(value).replace("\'", "\'\'") + elif isinstance(value, buffer): + return "'%s'" % binascii.hexlify(value) elif isinstance(value, bool): return "1" if value else "0" else: diff --git a/django/db/backends/sqlite3/schema.py b/django/db/backends/sqlite3/schema.py index 0703688599..b7a945080d 100644 --- a/django/db/backends/sqlite3/schema.py +++ b/django/db/backends/sqlite3/schema.py @@ -27,7 +27,7 @@ class DatabaseSchemaEditor(BaseDatabaseSchemaEditor): elif isinstance(value, six.integer_types): return str(value) elif isinstance(value, six.string_types): - return '"%s"' % six.text_type(value) + return "'%s'" % six.text_type(value).replace("\'", "\'\'") elif value is None: return "NULL" elif isinstance(value, (bytes, bytearray, six.memoryview)):