Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Bugfix : Fix issue caused by converting SQL insert queries to f-strings without proper variable conversion

See original GitHub issue

Description Changes made to the queries in databaseconnect.py where insert queries’ strings were converted to f-strings are causing SQL failures in certain cases.

Example

INSERT INTO question_table(subject,root_word,verb,sentence) VALUES ('['distance']','what','[]','what is the distance between Nagpur and MUmbai?')

The variables are lists of strings and are thus appearing as lists in the query which is then truncated as a string at '['. This needs to be fixed in such a way that queries run in all cases.

Additionally, since the variables are a list, the cases where the length is more than one need to be handled in a better way. However, this wasn’t present in the first version itself and is more of an enhancement than a bugfix. @vishakha-lall I think that should be taken up in another issue.

Pre-requisite Intermediate knowledge of Python

Issue Analytics

State:
Created 4 years ago
Comments:28 (24 by maintainers)

Top GitHub Comments

2reactions

chttrjeankrcommented, Mar 21, 2020

long_data_used

Seeing the above word in the error I get an instinct that you may not be converting each argument to string explicitly. I think that needs to be done. Maybe, that’ll solve it.

Not totally a wild guess though. If you browse the history of the file databseconnect.py you’ll see typecasting existed before a PR was merged. Look here @Pihu1998.

The discussion is here and the doubts existed here.

2reactions

janakrajchadhacommented, Mar 18, 2020

@Pihu1998 Thanks for these references, this makes it quite clear why any sort of string formatting would be vulnerable to attacks. Please go ahead and make the changes using the sql module’s functions.

Top Results From Across the Web

Why is this SQL INSERT INTO statement throwing an error ...

Your First Statement Is Executed Because Your Are Putting correct character that is 'a' but in second case you are not putting correct...

Converting SQL insert queries to f-strings gives syntax error ...

This indicates an error in my code where I attempt to insert my variables (root, verb and H ) to it. cursor.execute(f"INSERT INTO...

What's New In Python 3.6 — Python 3.11.1 documentation

PEP 498 introduces a new kind of string literals: f-strings, or formatted string ... This PEP adds syntax to Python for annotating the...

Python 3's f-Strings: An Improved String Formatting Syntax ...

As of Python 3.6, f-strings are a great new way to format strings. Not only are they more readable, more concise, and less...

Xonsh Change Log - xonsh 0.13.4 documentation

The environment variables XONSHRC and XONSHRC_DIR are no longer updated by xonsh on startup according to which files were actually loaded. This caused...