mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-03-05 15:02:31 +00:00
Code Issues 32 Releases Wiki Activity

Moved indexes in ArrayField's Index and Slice transforms to SQL params.

Browse Source 
Follow up to 7deeabc7c7526786df6894429ce89a9c4b614086.

These lookups aren't vulnerable to SQL injection because both accept
only integer indexes. It is a part of good practices.
This commit is contained in:
Mariusz Felisiak 2019-08-01 11:48:58 +02:00
parent 0e02e496cd
commit 05964b2198
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
django/contrib/postgres/fields/array.py
View File

@ -262,7 +262,7 @@ class IndexTransform(Transform):
def as_sql(self, compiler, connection): def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs) lhs, params = compiler.compile(self.lhs)
return '%s[%s]' % (lhs, self.index), params return '%s[%%s]' % lhs, params + [self.index]
@property @property
def output_field(self): def output_field(self):
@ -288,7 +288,7 @@ class SliceTransform(Transform):
def as_sql(self, compiler, connection): def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs) lhs, params = compiler.compile(self.lhs)
return '%s[%s:%s]' % (lhs, self.start, self.end), params return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
class SliceTransformFactory: class SliceTransformFactory: