|
|
All over our code we build GQL queries more or less like this:
keyw = db.GqlQuery("SELECT * FROM Keyword WHERE text='%s'"%keyw_text).get()
But what if keyw_text will contain ' character? (i.e Obama's)
Not only that it can ruin the select and cause exceptions, it can also lead to serious security issues (see SQL injection).
I've changed the queries that are problematic - those who really can have "'" in their parameters. If you still see any GQL query that is bad, or want to write a new query, use:
keyw = db.GqlQuery("SELECT * FROM Keyword WHERE text=:k",k=keyw_text).get()
or for more params:
db.GqlQuery("SELECT * FROM ArticleActivity WHERE user = :userID and articleID=:articleID", userID=A, articleID=B)
|