From f0a7470e405cb237e8b5676fd10f1ea482787baf Mon Sep 17 00:00:00 2001
From: Russell Keith-Magee <russell@keith-magee.com>
Date: Sun, 8 Feb 2009 11:14:56 +0000
Subject: Fixed #10160 -- Modified evaluation of F() expressions to protect
 against potential SQL injection attacks. Thanks to Ian Kelly for the
 suggestion and patch.

git-svn-id: http://code.djangoproject.com/svn/django/trunk@9820 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 django/db/models/sql/where.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'django/db/models/sql/where.py')

diff --git a/django/db/models/sql/where.py b/django/db/models/sql/where.py
index d97112e9f3..1d4df127fe 100644
--- a/django/db/models/sql/where.py
+++ b/django/db/models/sql/where.py
@@ -160,10 +160,10 @@ class WhereNode(tree.Node):
             extra = ''
 
         if lookup_type in connection.operators:
-            format = "%s %%s %s" % (connection.ops.lookup_cast(lookup_type),
-                    extra)
+            format = "%s %%s %%s" % (connection.ops.lookup_cast(lookup_type),)
             return (format % (field_sql,
-                    connection.operators[lookup_type] % cast_sql), params)
+                              connection.operators[lookup_type] % cast_sql,
+                              extra), params)
 
         if lookup_type == 'in':
             if not value_annot:
-- 
cgit v1.3