From: Erlend E. Aasland <erlend@python.org>
Date: Tue, 14 May 2024 16:10:55 +0000 (-0400)
Subject: gh-118928: sqlite3: disallow sequences of params with named placeholders (#118929)
X-Git-Tag: v3.14.0a1~1906
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8e0e009195b2388fb53012c1f0fa786426dc05f;p=thirdparty%2FPython%2Fcpython.git

gh-118928: sqlite3: disallow sequences of params with named placeholders (#118929)

Follow-up of gh-101693. The previous DeprecationWarning is replaced with
raising sqlite3.ProgrammingError.

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---

diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst
index bcb1098f43d5..33a0f3e0f2f4 100644
--- a/Doc/whatsnew/3.14.rst
+++ b/Doc/whatsnew/3.14.rst
@@ -142,6 +142,11 @@ sqlite3
 * Remove :data:`!version` and :data:`!version_info` from :mod:`sqlite3`.
   (Contributed by Hugo van Kemenade in :gh:`118924`.)
 
+* Disallow using a sequence of parameters with named placeholders.
+  This had previously raised a :exc:`DeprecationWarning` since Python 3.12;
+  it will now raise a :exc:`sqlite3.ProgrammingError`.
+  (Contributed by Erlend E. Aasland in :gh:`118928` and :gh:`101693`.)
+
 typing
 ------
 
diff --git a/Lib/test/test_sqlite3/test_dbapi.py b/Lib/test/test_sqlite3/test_dbapi.py
index 1f71b5c34e44..293baccaf183 100644
--- a/Lib/test/test_sqlite3/test_dbapi.py
+++ b/Lib/test/test_sqlite3/test_dbapi.py
@@ -878,9 +878,8 @@ class CursorTests(unittest.TestCase):
         msg = "Binding.*is a named parameter"
         for query, params in dataset:
             with self.subTest(query=query, params=params):
-                with self.assertWarnsRegex(DeprecationWarning, msg) as cm:
+                with self.assertRaisesRegex(sqlite.ProgrammingError, msg) as cm:
                     self.cu.execute(query, params)
-                self.assertEqual(cm.filename,  __file__)
 
     def test_execute_indexed_nameless_params(self):
         # See gh-117995: "'?1' is considered a named placeholder"
diff --git a/Misc/NEWS.d/next/Library/2024-05-10-22-36-01.gh-issue-118928.IW7Ukv.rst b/Misc/NEWS.d/next/Library/2024-05-10-22-36-01.gh-issue-118928.IW7Ukv.rst
new file mode 100644
index 000000000000..91c95e4a5395
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2024-05-10-22-36-01.gh-issue-118928.IW7Ukv.rst
@@ -0,0 +1,2 @@
+Disallow using a sequence of parameters with named placeholders in
+:mod:`sqlite3` queries. Patch by Erlend E. Aasland.
diff --git a/Modules/_sqlite/cursor.c b/Modules/_sqlite/cursor.c
index 950596ea82b5..5d4b77b1a07e 100644
--- a/Modules/_sqlite/cursor.c
+++ b/Modules/_sqlite/cursor.c
@@ -670,15 +670,11 @@ bind_parameters(pysqlite_state *state, pysqlite_Statement *self,
         for (i = 0; i < num_params; i++) {
             const char *name = sqlite3_bind_parameter_name(self->st, i+1);
             if (name != NULL && name[0] != '?') {
-                int ret = PyErr_WarnFormat(PyExc_DeprecationWarning, 1,
+                PyErr_Format(state->ProgrammingError,
                         "Binding %d ('%s') is a named parameter, but you "
                         "supplied a sequence which requires nameless (qmark) "
-                        "placeholders. Starting with Python 3.14 an "
-                        "sqlite3.ProgrammingError will be raised.",
+                        "placeholders.",
                         i+1, name);
-                if (ret < 0) {
-                    return;
-                }
             }
 
             if (PyTuple_CheckExact(parameters)) {