git.ipfire.org Git - thirdparty/sqlalchemy/sqlalchemy.git/commit

author	Mike Bayer <mike_mp@zzzcomputing.com>
	Wed, 4 Sep 2019 22:46:53 +0000 (18:46 -0400)
committer	Mike Bayer <mike_mp@zzzcomputing.com>
	Thu, 5 Sep 2019 13:55:08 +0000 (09:55 -0400)
commit	b9c8540f4d1fde959b7e0b6a147988b8f5b982dd
tree	1992e547902017735850df30de71a748dee19d33	tree
parent	5072ed04520631310be9c5f273bf13210c64d37a	commit \| diff

Strip special chars in anonymized bind names

Characters that interfere with "pyformat" or "named" formats in bound
parameters, namely ``%, (, )`` and the space character, as well as a few
other typically undesirable characters, are stripped early for a
:func:`.bindparam` that is using an anonymized name, which is typically
generated automatically from a named column which itself includes these
characters in its name and does not use a ``.key``, so that they do not
interfere either with the SQLAlchemy compiler's use of string formatting or
with the driver-level parsing of the parameter, both of which could be
demonstrated before the fix. The change only applies to anonymized
parameter names that are generated and consumed internally, not end-user
defined names, so the change should have no impact on any existing code.
Applies in particular to the psycopg2 driver which does not otherwise quote
special parameter names, but also strips leading underscores to suit Oracle
(but not yet leading numbers, as some anon parameters are currently
entirely numeric/underscore based); Oracle in any case continues to quote
parameter names that include special characters.

Fixes: #4837
Change-Id: I21cb654c3e4ef786114160b8b4295242720bf3f9
(cherry picked from commit d7aa017d83b416187b54ad38400475fd86d80671)

doc/build/changelog/unreleased_13/4837.rst	[new file with mode: 0644]	blob
lib/sqlalchemy/sql/elements.py		diff \| blob \| blame \| history
test/sql/test_compiler.py		diff \| blob \| blame \| history