fix: use regex-based pyformat substitution in cursor.execute()#61
Conversation
![salty-hambot[bot]](https://avatars.githubusercontent.com/in/2952321?s=60&v=4){kind=small}
There was a problem hiding this comment.
Reviewed by Salty Hambot 🤖🧂
Fix works for the empty-params case but leaves a landmine for non-empty params with literal % — a comment noting the limitation and a negative regression test would make this much more defensible.
2 finding(s) posted.
💬 To request a re-review, comment @salty-hambot review
Replace Python's % string formatting with a regex that only matches %(name)s tokens, leaving literal percent characters (e.g. LIKE '%good') untouched. This fixes TypeError/ValueError when SQL contains % wildcards. Also adds a PEP 249 compliance section to the README documenting the module-level globals (apilevel, threadsafety, paramstyle) and parameterized query usage.
james-willis
force-pushed
the
fix/cursor-percent-in-like-queries
branch
from
bf944d8 to
73599bd
Compare
james-willis
changed the title
There was a problem hiding this comment.
Reviewed by Salty Hambot 🤖🧂
The regex rewrite elegantly dodges the %-formatting trap, but str() substitution without quoting means every string parameter produces invalid SQL — and the README's own examples are broken by it.
2 finding(s) posted.
💬 To request a re-review, comment @salty-hambot review
String values are now single-quoted with internal quotes escaped, None becomes NULL, booleans become TRUE/FALSE, bytes become X'hex', and numeric types pass through unquoted. This complies with the PEP 249 requirement that the driver handle proper quoting for client-side parameter interpolation.
There was a problem hiding this comment.
Reviewed by Salty Hambot 🤖🧂
Looking good on the third pass — the quoting and regex rewrite are solid. One edge case left: float('inf') and float('nan') sneak through _quote_value and produce invalid SQL literals that'll blow up server-side.
1 finding(s) posted.
💬 To request a re-review, comment @salty-hambot review
|
is there no third-party library we can use to render a parameterized sql statement? |
|
Not that I could find Simon |
3 participants
Summary
operation % (parameters or {})call incursor.execute()with a regex-based_substitute_parameters()helper that only matches%(name)spyformat tokens.%characters in SQL (e.g.LIKE '%good%') are left untouched, even when parameters are provided. No%%escaping is needed.ProgrammingErrorwith a clear message.apilevel,threadsafety,paramstyle) and parameterized query usage with examples.Test plan
18 new tests in
tests/test_cursor.pyacross two classes:TestCursorExecuteParameterSubstitution(11 tests) — end-to-end throughcursor.execute():%wildcards (leading, trailing, both sides, multiple clauses)parameters=Noneandparameters={}with percent-containing queries%%escaping)ProgrammingErrorTestSubstituteParameters(7 tests) — unit tests for the helper directly:None/empty params return operation unchanged%preserved alongside paramsProgrammingError%s(format-style) is not treated as a pyformat param