Use psycopg2's string handling to escape password string

This allows the password to contain single quotes and should make it safe to
use randomly generated passwords (provided passwords can be represented in the
connection encoding).
This commit is contained in:
Bernhard Weitzhofer 2013-04-07 23:07:58 +02:00
parent 74c85c1929
commit 95f1cf0adf

View file

@ -142,8 +142,10 @@ def user_exists(cursor, user):
def user_add(cursor, user, password, role_attr_flags): def user_add(cursor, user, password, role_attr_flags):
"""Create a new database user (role).""" """Create a new database user (role)."""
query = "CREATE USER \"%(user)s\" with PASSWORD '%(password)s' %(role_attr_flags)s" query = 'CREATE USER "%(user)s" WITH PASSWORD %%(password)s %(role_attr_flags)s' % {
cursor.execute(query % {"user": user, "password": password, "role_attr_flags": role_attr_flags}) "user": user, "role_attr_flags": role_attr_flags
}
cursor.execute(query, {"password": password})
return True return True
def user_alter(cursor, user, password, role_attr_flags): def user_alter(cursor, user, password, role_attr_flags):
@ -168,8 +170,10 @@ def user_alter(cursor, user, password, role_attr_flags):
if password is not None: if password is not None:
# Update the role attributes, including password. # Update the role attributes, including password.
alter = "ALTER USER \"%(user)s\" WITH PASSWORD '%(password)s' %(role_attr_flags)s" alter = 'ALTER USER "%(user)s" WITH PASSWORD %%(password)s %(role_attr_flags)s' % {
cursor.execute(alter % {"user": user, "password": password, "role_attr_flags": role_attr_flags}) "user": user, "role_attr_flags": role_attr_flags
}
cursor.execute(alter, {"password": password})
else: else:
# Update the role attributes, excluding password. # Update the role attributes, excluding password.
alter = "ALTER USER \"%(user)s\" WITH %(role_attr_flags)s" alter = "ALTER USER \"%(user)s\" WITH %(role_attr_flags)s"