Fixed #10160 -- Modified evaluation of F() expressions to protect against potential SQL injection attacks. Thanks to Ian Kelly for the suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
author: Russell Keith-Magee <russell@keith-magee.com> 2009-02-08 11:14:56 +0000
committer: Russell Keith-Magee <russell@keith-magee.com> 2009-02-08 11:14:56 +0000
commit: f0a7470e405cb237e8b5676fd10f1ea482787baf (patch)
tree: 6fc2ef419e4d5395e6a0997a7e2a994be0338a59 /django/db/models/sql/where.py
parent: d4a3a4b0ca7888ed98e03348af062b0d31d779aa (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/django/db/models/sql/where.py b/django/db/models/sql/where.py
index d97112e9f3..1d4df127fe 100644
--- a/django/db/models/sql/where.py
+++ b/django/db/models/sql/where.py
@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
             extra = ''
 
         if lookup_type in connection.operators:
-            format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
-                    extra)
+            format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
             return (format % (field_sql,
-                    connection.operators[lookup_type] % cast_sql), params)
+                              connection.operators[lookup_type] % cast_sql,
+                              extra), params)
 
         if lookup_type == 'in':
             if not value_annot:
author	Russell Keith-Magee <russell@keith-magee.com>	2009-02-08 11:14:56 +0000
committer	Russell Keith-Magee <russell@keith-magee.com>	2009-02-08 11:14:56 +0000
commit	f0a7470e405cb237e8b5676fd10f1ea482787baf (patch)
tree	6fc2ef419e4d5395e6a0997a7e2a994be0338a59 /django/db/models/sql/where.py
parent	d4a3a4b0ca7888ed98e03348af062b0d31d779aa (diff)