0

I'm using an & ampersand sign in my database password in Django. The settings.py file looks like this : 

DATABASES = {
    'default': {
        'ENGINE'    : 'django.db.backends.mysql',
        'NAME'      : 'testdb',
        'USER'      : 'user1',
        'PASSWORD'  : 'pass&word',
        'HOST'      : '', 
        'PORT'      : '',
    }
}

I get the following error with dbshell 

$ python manage.py dbshell

Warning: Using a password on the command line interface can be insecure.
ERROR 1045 (28000): Access denied for user 'user1'@'localhost' (using password: YES)
'word' is not recognized as an internal or external command,
operable program or batch file.

If my password is pass&word, you can see that the command breaks after & character. How do I get around this (other than changing my password). Is it a Django bug or should I escape the character?

P.S. python manage.py runserver works without any problems. Using command prompt on Win7.

user
  • 17,781
  • 20
  • 98
  • 124
  • 1
    Sounds like the script passes the password to the shell and does not escape it properly. – Joachim Isaksson Mar 09 '14 at 08:40
  • What version of django are you using? – Burhan Khalid Mar 09 '14 at 08:48
  • 1
    I tried to reproduce your error by setting my mysql password to `'pass&word'` and invoking `manage.py dbshell` but everything worked well, no errors. – Santosh Ghimire Mar 09 '14 at 08:59
  • I'm using Django v1.6b4 on Windows 7 command line with cygwin installed. – user Mar 09 '14 at 09:36
  • 1
    Seems to be a [bug in Django](https://github.com/django/django/blob/1.6/django/db/backends/mysql/client.py), only on Windows platforms — no escaping is performed on command line arguments when invoking the database client. Non-windows platforms use `os.execvp`, which passes arguments as a list, but on Windows the command line is composed as a string and escaping is required, but missing. Doesn't seem to be fixed [in development version](https://github.com/django/django/blob/1.7a2/django/db/backends/mysql/client.py) either. – lanzz Mar 09 '14 at 10:18
  • 1
    I've submitted a bug report and a fix to Django, but I have no idea if they backport such changes to the 1.6 branch. I'd suggest changing your database password to avoid characters that have a special meaning in the Windows shell. – lanzz Mar 09 '14 at 11:11
  • [Ticket](https://code.djangoproject.com/ticket/22234); [fix](https://github.com/django/django/pull/2412) (branched from the `master` branch, but should apply cleanly on the 1.6 branch as well) – lanzz Mar 09 '14 at 11:27

1 Answers1

1

Bug in Django.

Ticket : https://code.djangoproject.com/ticket/22234
Fix      : https://github.com/django/django/pull/2412
Credit : @lanzz

user
  • 17,781
  • 20
  • 98
  • 124