Commit aee1cce1 authored by Daniele Venzano's avatar Daniele Venzano
Browse files

Escape table names in SQL queries

parent 5eea477c
...@@ -53,7 +53,7 @@ class BaseTable: ...@@ -53,7 +53,7 @@ class BaseTable:
def delete(self, record_id): def delete(self, record_id):
"""Delete a record from this table.""" """Delete a record from this table."""
query = "DELETE FROM {} WHERE id = %s".format(self.table_name) query = 'DELETE FROM "{}" WHERE id = %s'.format(self.table_name)
self.cursor.execute(query, (record_id,)) self.cursor.execute(query, (record_id,))
self.sql_manager.commit() self.sql_manager.commit()
...@@ -66,7 +66,7 @@ class BaseTable: ...@@ -66,7 +66,7 @@ class BaseTable:
value_list.append(value) value_list.append(value)
set_q = ", ".join(arg_list) set_q = ", ".join(arg_list)
value_list.append(record_id) value_list.append(record_id)
q_base = 'UPDATE {} SET '.format(self.table_name) + set_q + ' WHERE id=%s' q_base = 'UPDATE "{}" SET '.format(self.table_name) + set_q + ' WHERE id=%s'
query = self.cursor.mogrify(q_base, value_list) query = self.cursor.mogrify(q_base, value_list)
self.cursor.execute(query) self.cursor.execute(query)
self.sql_manager.commit() self.sql_manager.commit()
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment