From e0b842a6047a5855cebc1fcb8065885db1da0353 Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve.mcintyre@linaro.org>
Date: Fri, 28 Nov 2014 18:23:47 +0000
Subject: _get_row needs the same psycopg hoop-jumping as _get_element

Change-Id: I8ca25ab15d7a057412283308b707002d1034ebb2
---
 db/db.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'db/db.py')

diff --git a/db/db.py b/db/db.py
index 57d3107..c46742b 100644
--- a/db/db.py
+++ b/db/db.py
@@ -148,8 +148,21 @@ class VlanDB:
         return self._get_element("vlan_name", "vlan", "vlan_id", vlan_id)
 
     def _get_row(self, table, field, value):
-        sql = "SELECT * FROM %s WHERE %s = %s"
-        data = (table, field, value)
+
+        # We really want to use psycopg's type handling deal with the
+        # (potentially) user-supplied data in the value field, so we
+        # have to pass (sql,data) through to cursor.execute. However,
+        # we can't have psycopg do all the argument substitution here
+        # as it will quote all the params like the table name. That
+        # doesn't work. So, we substitute a "%s" for "%s" here so we
+        # keep it after python's own string substitution.
+        sql = "SELECT * FROM %s WHERE %s = %s" % (table, field, "%s")
+
+        # Now, the next icky thing: we need to make sure that we're
+        # passing a dict so that psycopg2 can pick it apart properly
+        # for its own substitution code. We force this with the
+        # trailing comma here
+        data = (value, )
         self.cursor.execute(sql, data)
         return self.cursor.fetchone()
 
-- 
cgit v1.2.3