0

I am looking for a way to pass a string (an sql query) to Django view from JQuery. As such, I want my string to include any number of alphabetic characters, underlines and whitespaces ordered in arbitrary sequence. [\s_a-zA-Z0-9]+ seems to be the right regex for this, but I still end up failing to call my view. The problem lies in URLConf below:

url(r'^run_sql_query/(?P<sql_query_str>\[\s,=_a-zA-Z0-9]+)/$', get_sql_query_json_result)

The JQuery (which is 99% correct):

var sql_query_str = 'select ' +
                        'name, short_name, kpp, inn , okpo, phone_number_accounting,' +
                        'phone_number_ordering, description ' +
                        'from v_legal_entities WHERE is_vendor = 1';
    $.ajax({
        type:"GET",
        url:"/run_sql_query/" + sql_query_str,
        dataType : 'json',
        cache: "false",
        data:{},
        success:function(obj)
        {...// some code...

I have read this, but I still can't work it around.

Community
  • 1
  • 1
Edgar Navasardyan
  • 4,261
  • 8
  • 58
  • 121
  • Your regex doesn't allow commas (`,`), or equal signs (`=`) which are present in the string you are sending... – solarissmoke Nov 12 '15 at 07:24
  • 1
    And why are you escaping the `[`? That means it's matched as a literal `[`. – Tim Pietzcker Nov 12 '15 at 07:25
  • Sorry, I am actually pasted old version here (have already updated the post), but I still get 404 (NOT FOUND) error with strange 20% instead of whitespaces (127.0.0.1:8000/run_sql_query/select%20name,%20short_name,%20kpp,%20inn%20,%20okpo,%....') – Edgar Navasardyan Nov 12 '15 at 07:30
  • Tim, didn't get your point. I am newbie to regex :) Could you please clarify what you mean ? – Edgar Navasardyan Nov 12 '15 at 07:32
  • There's a backslash before the `[` in your regex. Remove that - otherwise your regex can only match a string like `"run_sql_query/[ ,=_a-zA-Z0-9]]]/"`. – Tim Pietzcker Nov 12 '15 at 07:36
  • It seem that the problem is even not in the whitespaces. The URLConf is now url(r'^run_sql_query/(?P[_,=a-zA-Z0-9]+)/$', get_sql_query_json_result), and the string is "WHEREis_vendor1" but still 500 NOT FOUND error ! – Edgar Navasardyan Nov 12 '15 at 07:56
  • Partially off-topic, but this sounds like an extremely dangerous task that you're trying to do... – Sayse Nov 12 '15 at 08:28
  • Sayse, I understand, you mean the potential sql injection hazard that stems from using urls to enable client-server interaction. What's the save alternative then ? – Edgar Navasardyan Nov 12 '15 at 18:07

0 Answers0