Merge pull request #2605 from b6d/postgresql_user-quote-pwd

Use psycopg2's string handling to escape password string

Merge pull request #2605 from b6d/postgresql_user-quote-pwd
Use psycopg2's string handling to escape password string
96d01458 · Michael DeHaan · 2da03604 · 77068018 · 96d01458
Commit 96d01458 authored Apr 12, 2013 by Michael DeHaan
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

library/postgresql_user
+8 -4

No files found.
--- a/library/postgresql_user
+++ b/library/postgresql_user
@@ -142,8 +142,10 @@ def user_exists(cursor, user):
 def user_add(cursor, user, password, role_attr_flags):
    """Create a new database user (role)."""
-    query = "CREATE USER \"%(user)s\" with PASSWORD '%(password)s' %(role_attr_flags)s"
+    query = 'CREATE USER "%(user)s" WITH PASSWORD %%(password)s %(role_attr_flags)s' % {
-    cursor.execute(query % {"user": user, "password": password, "role_attr_flags": role_attr_flags})
+        "user": user, "role_attr_flags": role_attr_flags
+    }
+    cursor.execute(query, {"password": password})
    return True
 def user_alter(cursor, user, password, role_attr_flags):
@@ -168,8 +170,10 @@ def user_alter(cursor, user, password, role_attr_flags):
        if password is not None:
            # Update the role attributes, including password.
-            alter = "ALTER USER \"%(user)s\" WITH PASSWORD '%(password)s' %(role_attr_flags)s"
+            alter = 'ALTER USER "%(user)s" WITH PASSWORD %%(password)s %(role_attr_flags)s' % {
-            cursor.execute(alter % {"user": user, "password": password, "role_attr_flags": role_attr_flags})
+                "user": user, "role_attr_flags": role_attr_flags
+            }
+            cursor.execute(alter, {"password": password})
        else:
            # Update the role attributes, excluding password.
            alter = "ALTER USER \"%(user)s\" WITH %(role_attr_flags)s"