search

sripathikrishnan / jinjasql

Template Language for SQL with Automatic Bind Parameter Extraction
MIT License
815 stars 89 forks source link

Critical: JinjaSQL fails to bind parameters in case of string concatenation #30

Closed sripathikrishnan closed 4 years ago

sripathikrishnan commented 4 years ago 
from jinjasql import JinjaSql
j = JinjaSql()
query, params = j.prepare_query("SELECT {{ '%' ~ tag ~ '%' }}", {"tag": "sql"})
print(query)
print(params)

Should print SELECT %s ['%sql%']

Instead, it prints SELECT %sql%s ['%']

Analysis

JinjaSQL internally rewrites the query to SELECT {{ '%' ~ tag ~ '%' | bind('tag')}}. The bind filter attaches itself only to the last '%', and not to the entire expression.

To fix this, JinjaSQL should enclose the entire expression in a pair of parentheses, like this - SELECT {{ ('%' ~ tag ~ '%') | bind('tag') }}

sripathikrishnan commented 4 years ago

Fixed with release 0.1.8