diff options
| author | Mariusz Felisiak <felisiak.mariusz@gmail.com> | 2023-08-25 12:31:52 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-08-25 12:31:52 (GMT) |
| commit | 75903f29f6fed718d06412f5a35105a6952961ce (patch) | |
| tree | d5242804371e9ffa0e4b92e54b587741e1ba982f /Lib/sqlite3 | |
| parent | bc2f9e625865bc13549100c0eb76d3b9c0990f1a (diff) | |
| download | cpython-75903f29f6fed718d06412f5a35105a6952961ce.zip cpython-75903f29f6fed718d06412f5a35105a6952961ce.tar.gz cpython-75903f29f6fed718d06412f5a35105a6952961ce.tar.bz2 | |
gh-108364: Simplify quoting values and identifiers in sqlite3's iterdump() (#108472)
Diffstat (limited to 'Lib/sqlite3')
| -rw-r--r-- | Lib/sqlite3/dump.py | 25 |
1 files changed, 18 insertions, 7 deletions
diff --git a/Lib/sqlite3/dump.py b/Lib/sqlite3/dump.py index 07b9da1..cf73cc3 100644 --- a/Lib/sqlite3/dump.py +++ b/Lib/sqlite3/dump.py @@ -7,6 +7,14 @@ # future enhancements, you should normally quote any identifier that # is an English language word, even if you do not have to." +def _quote_name(name): + return '"{0}"'.format(name.replace('"', '""')) + + +def _quote_value(value): + return "'{0}'".format(value.replace("'", "''")) + + def _iterdump(connection): """ Returns an iterator to the dump of the database in an SQL text format. @@ -31,11 +39,11 @@ def _iterdump(connection): sqlite_sequence = [] for table_name, type, sql in schema_res.fetchall(): if table_name == 'sqlite_sequence': - rows = cu.execute('SELECT * FROM "sqlite_sequence";').fetchall() + rows = cu.execute('SELECT * FROM "sqlite_sequence";') sqlite_sequence = ['DELETE FROM "sqlite_sequence"'] sqlite_sequence += [ - f'INSERT INTO "sqlite_sequence" VALUES(\'{row[0]}\',{row[1]})' - for row in rows + f'INSERT INTO "sqlite_sequence" VALUES({_quote_value(table_name)},{seq_value})' + for table_name, seq_value in rows.fetchall() ] continue elif table_name == 'sqlite_stat1': @@ -53,12 +61,15 @@ def _iterdump(connection): yield('{0};'.format(sql)) # Build the insert statement for each row of the current table - table_name_ident = table_name.replace('"', '""') - res = cu.execute('PRAGMA table_info("{0}")'.format(table_name_ident)) + table_name_ident = _quote_name(table_name) + res = cu.execute(f'PRAGMA table_info({table_name_ident})') column_names = [str(table_info[1]) for table_info in res.fetchall()] - q = """SELECT 'INSERT INTO "{0}" VALUES({1})' FROM "{0}";""".format( + q = "SELECT 'INSERT INTO {0} VALUES('{1}')' FROM {0};".format( table_name_ident, - ",".join("""'||quote("{0}")||'""".format(col.replace('"', '""')) for col in column_names)) + "','".join( + "||quote({0})||".format(_quote_name(col)) for col in column_names + ) + ) query_res = cu.execute(q) for row in query_res: yield("{0};".format(row[0])) |