From 11051f32e0ff2cc65a65311f76415996242fac67 Mon Sep 17 00:00:00 2001
From: Raphael Collet <rco@openerp.com>
Date: Mon, 15 Oct 2012 12:01:48 +0200
Subject: [PATCH 1/2] [FIX] res_users.login: fix query parameters in cr.execute

bzr revid: rco@openerp.com-20121015100148-pkanx35vr6fqojuj
---
 openerp/addons/base/res/res_users.py |  4 ++--
 openerp/sql_db.py                    |  3 +++
 openerp/tests/test_db_cursor.py      | 36 ++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+), 2 deletions(-)
 create mode 100644 openerp/tests/test_db_cursor.py

diff --git a/openerp/addons/base/res/res_users.py b/openerp/addons/base/res/res_users.py
index a1c06a52494..14673ce118f 100644
--- a/openerp/addons/base/res/res_users.py
+++ b/openerp/addons/base/res/res_users.py
@@ -409,8 +409,8 @@ class res_users(osv.osv):
                 # prevent/delay login in that case. It will also have been logged
                 # as a SQL error, if anyone cares.
                 try:
-                    cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", str(user_id))
-                    cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", str(user_id))
+                    cr.execute("SELECT id FROM res_users WHERE id=%s FOR UPDATE NOWAIT", (user_id,))
+                    cr.execute("UPDATE res_users SET login_date = now() AT TIME ZONE 'UTC' WHERE id=%s", (user_id,))
                 except Exception, e:
                     _logger.exception("Failed to update last_login for db:%s login:%s", db, login)
         except openerp.exceptions.AccessDenied:
diff --git a/openerp/sql_db.py b/openerp/sql_db.py
index a6ebcd0300f..f18414bdff8 100644
--- a/openerp/sql_db.py
+++ b/openerp/sql_db.py
@@ -215,6 +215,9 @@ class Cursor(object):
             _logger.warning(query)
             _logger.warning("SQL queries cannot contain %d or %f anymore. "
                          "Use only %s")
+        if params and not isinstance(params, (tuple, list, dict)):
+            _logger.error("SQL query parameters should be a tuple, list or dict; got %r", params)
+            raise ValueError("SQL query parameters should be a tuple, list or dict; got %r" % (params,))
 
         if self.sql_log:
             now = mdt.now()
diff --git a/openerp/tests/test_db_cursor.py b/openerp/tests/test_db_cursor.py
new file mode 100644
index 00000000000..97e3225d0aa
--- /dev/null
+++ b/openerp/tests/test_db_cursor.py
@@ -0,0 +1,36 @@
+# -*- coding: utf-8 -*-
+# Run with one of these commands:
+#    > OPENERP_ADDONS_PATH='../../addons/trunk' OPENERP_PORT=8069 \
+#      OPENERP_DATABASE=yy PYTHONPATH=. python tests/test_ir_sequence.py
+#    > OPENERP_ADDONS_PATH='../../addons/trunk' OPENERP_PORT=8069 \
+#      OPENERP_DATABASE=yy nosetests tests/test_ir_sequence.py
+#    > OPENERP_ADDONS_PATH='../../../addons/trunk' OPENERP_PORT=8069 \
+#      OPENERP_DATABASE=yy PYTHONPATH=../:. unit2 test_ir_sequence
+# This assume an existing database.
+
+import unittest2
+
+import openerp
+import common
+
+DB = common.DB
+ADMIN_USER_ID = common.ADMIN_USER_ID
+
+def cursor():
+    return openerp.modules.registry.RegistryManager.get(DB).db.cursor()
+
+
+class test_ir_sequence_standard(unittest2.TestCase):
+    """ Try cr.execute with wrong parameters """
+
+    def test_execute_bad_params(self):
+        """ Try to use non-iterable in query parameters. """
+        cr = cursor()
+        with self.assertRaises(ValueError):
+            cr.execute("SELECT id FROM res_users WHERE login=%s", 'admin')
+        with self.assertRaises(ValueError):
+            cr.execute("SELECT id FROM res_users WHERE id=%s", 1)
+        with self.assertRaises(ValueError):
+            cr.execute("SELECT id FROM res_users WHERE id=%s", '1')
+
+# vim:expandtab:smartindent:tabstop=4:softtabstop=4:shiftwidth=4:

From ae0a437aa67de4ff56247c813633d6469c873b76 Mon Sep 17 00:00:00 2001
From: Raphael Collet <rco@openerp.com>
Date: Mon, 15 Oct 2012 12:18:49 +0200
Subject: [PATCH 2/2] [FIX] tests: add missing test

bzr revid: rco@openerp.com-20121015101849-hf7pyxjzkbxd4tgf
---
 openerp/tests/__init__.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/openerp/tests/__init__.py b/openerp/tests/__init__.py
index aa3055f471c..3427743263c 100644
--- a/openerp/tests/__init__.py
+++ b/openerp/tests/__init__.py
@@ -9,7 +9,7 @@ See the :ref:`test-framework` section in the :ref:`features` list.
 """
 
 from . import test_expression, test_html_sanitize, test_ir_sequence, test_orm,\
-              test_view_validation, test_uninstall, test_misc
+              test_view_validation, test_uninstall, test_misc, test_db_cursor
 
 fast_suite = [
     test_ir_sequence,
@@ -18,6 +18,7 @@ fast_suite = [
 checks = [
     test_expression,
     test_html_sanitize,
+    test_db_cursor,
     test_orm,
     test_view_validation,
     test_misc,