1
0
mirror of https://github.com/django/django.git synced 2025-03-05 15:02:31 +00:00

Moved indexes in ArrayField's Index and Slice transforms to SQL params.

Follow up to 7deeabc7c7526786df6894429ce89a9c4b614086.

These lookups aren't vulnerable to SQL injection because both accept
only integer indexes. It is a part of good practices.
This commit is contained in:
Mariusz Felisiak 2019-08-01 11:48:58 +02:00
parent 0e02e496cd
commit 05964b2198

View File

@ -262,7 +262,7 @@ class IndexTransform(Transform):
def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs)
return '%s[%s]' % (lhs, self.index), params
return '%s[%%s]' % lhs, params + [self.index]
@property
def output_field(self):
@ -288,7 +288,7 @@ class SliceTransform(Transform):
def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs)
return '%s[%s:%s]' % (lhs, self.start, self.end), params
return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
class SliceTransformFactory: