_get_row needs the same psycopg hoop-jumping as _get_element

Change-Id: I8ca25ab15d7a057412283308b707002d1034ebb2

1 files changed, 15 insertions, 2 deletions

diff --git a/db/db.py b/db/db.py
index 57d3107..c46742b 100644
--- a/db/db.py
+++ b/db/db.py
@@ -148,8 +148,21 @@ class VlanDB:
         return self._get_element("vlan_name", "vlan", "vlan_id", vlan_id)
 
     def _get_row(self, table, field, value):
-        sql = "SELECT * FROM %s WHERE %s = %s"
-        data = (table, field, value)
+
+        # We really want to use psycopg's type handling deal with the
+        # (potentially) user-supplied data in the value field, so we
+        # have to pass (sql,data) through to cursor.execute. However,
+        # we can't have psycopg do all the argument substitution here
+        # as it will quote all the params like the table name. That
+        # doesn't work. So, we substitute a "%s" for "%s" here so we
+        # keep it after python's own string substitution.
+        sql = "SELECT * FROM %s WHERE %s = %s" % (table, field, "%s")
+
+        # Now, the next icky thing: we need to make sure that we're
+        # passing a dict so that psycopg2 can pick it apart properly
+        # for its own substitution code. We force this with the
+        # trailing comma here
+        data = (value, )
         self.cursor.execute(sql, data)
         return self.cursor.fetchone()