diff options
Diffstat (limited to 'db/db.py')
| -rw-r--r-- | db/db.py | 17 |
1 files changed, 15 insertions, 2 deletions
@@ -148,8 +148,21 @@ class VlanDB: return self._get_element("vlan_name", "vlan", "vlan_id", vlan_id) def _get_row(self, table, field, value): - sql = "SELECT * FROM %s WHERE %s = %s" - data = (table, field, value) + + # We really want to use psycopg's type handling deal with the + # (potentially) user-supplied data in the value field, so we + # have to pass (sql,data) through to cursor.execute. However, + # we can't have psycopg do all the argument substitution here + # as it will quote all the params like the table name. That + # doesn't work. So, we substitute a "%s" for "%s" here so we + # keep it after python's own string substitution. + sql = "SELECT * FROM %s WHERE %s = %s" % (table, field, "%s") + + # Now, the next icky thing: we need to make sure that we're + # passing a dict so that psycopg2 can pick it apart properly + # for its own substitution code. We force this with the + # trailing comma here + data = (value, ) self.cursor.execute(sql, data) return self.cursor.fetchone() |