Always cast SQL parameters to tuples

As reported in #50.
adamchainz · Jun 12, 2019 · 0b75b2c · 0b75b2c
1 parent e4b3a50
commit 0b75b2c
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 34 deletions.
diff --git a/HISTORY.rst b/HISTORY.rst
@@ -10,6 +10,8 @@ Pending
 
 * Update Python support to 3.5-3.7, as 3.4 has reached its end of life.
 
+* Always cast SQL params to tuples in ORM code.
+
 3.1.0 (2019-05-17)
 ------------------
 

diff --git a/django_mysql/models/aggregates.py b/django_mysql/models/aggregates.py
@@ -64,4 +64,4 @@ def as_sql(self, compiler, connection, function=None, template=None):
 
         sql.append(")")
 
-        return "".join(sql), params
+        return "".join(sql), tuple(params)
diff --git a/django_mysql/models/expressions.py b/django_mysql/models/expressions.py
@@ -64,10 +64,7 @@ def as_sql(self, compiler, connection):
         value, value_params = compiler.compile(self.rhs)
 
         sql = self.sql_expression % (field, value)
-
-        params = []
-        params.extend(value_params)
-        params.extend(field_params)
+        params = tuple(value_params) + tuple(field_params)
 
         return sql, params
 
@@ -96,10 +93,7 @@ def as_sql(self, compiler, connection):
         value, value_params = compiler.compile(self.rhs)
 
         sql = self.sql_expression % (value, field)
-
-        params = []
-        params.extend(field_params)
-        params.extend(value_params)
+        params = tuple(field_params) + tuple(value_params)
 
         return sql, params
 
@@ -136,7 +130,7 @@ def as_sql(self, compiler, connection):
         field, field_params = compiler.compile(self.lhs)
 
         sql = self.sql_expression % (field)
-        return sql, field_params
+        return sql, tuple(field_params)
 
 
 class PopLeftListF(BaseExpression):
@@ -163,7 +157,7 @@ def as_sql(self, compiler, connection):
         field, field_params = compiler.compile(self.lhs)
 
         sql = self.sql_expression % (field)
-        return sql, field_params
+        return sql, tuple(field_params)
 
 
 class SetF(object):
@@ -206,10 +200,7 @@ def as_sql(self, compiler, connection):
         value, value_params = compiler.compile(self.rhs)
 
         sql = self.sql_expression % (value, field)
-
-        params = []
-        params.extend(value_params)
-        params.extend(field_params)
+        params = tuple(value_params) + tuple(field_params)
 
         return sql, params
 
@@ -257,9 +248,6 @@ def as_sql(self, compiler, connection):
         value, value_params = compiler.compile(self.rhs)
 
         sql = self.sql_expression % (value, field)
-
-        params = []
-        params.extend(value_params)
-        params.extend(field_params)
+        params = tuple(value_params) + tuple(field_params)
 
         return sql, params
diff --git a/django_mysql/models/fields/dynamic.py b/django_mysql/models/fields/dynamic.py
@@ -299,7 +299,7 @@ def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
         return (
             "COLUMN_GET({}, %s AS {})".format(lhs, self.data_type),
-            params + [self.key_name],
+            tuple(params) + (self.key_name,),
         )
 
 

diff --git a/django_mysql/models/fields/json.py b/django_mysql/models/fields/json.py
@@ -207,7 +207,7 @@ def as_sql(self, compiler, connection):
 
         json_path = self.compile_json_path(key_transforms)
 
-        return 'JSON_EXTRACT({}, %s)'.format(lhs), params + [json_path]
+        return 'JSON_EXTRACT({}, %s)'.format(lhs), tuple(params) + (json_path,)
 
     def compile_json_path(self, key_transforms):
         path = ['$']

diff --git a/django_mysql/models/fields/lists.py b/django_mysql/models/fields/lists.py
@@ -228,7 +228,7 @@ def __init__(self, index, *args, **kwargs):
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         rhs, rhs_params = self.process_rhs(qn, connection)
-        params = lhs_params + rhs_params
+        params = tuple(lhs_params) + tuple(rhs_params)
         # Put rhs on the left since that's the order FIND_IN_SET uses
         return '(FIND_IN_SET(%s, %s) = %s)' % (rhs, lhs, self.index), params
 

diff --git a/django_mysql/models/lookups.py b/django_mysql/models/lookups.py
@@ -20,7 +20,7 @@ class SoundsLike(Lookup):
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         rhs, rhs_params = self.process_rhs(qn, connection)
-        params = lhs_params + rhs_params
+        params = tuple(lhs_params) + tuple(rhs_params)
         return '%s SOUNDS LIKE %s' % (lhs, rhs), params
 
 
@@ -73,7 +73,7 @@ class JSONContainedBy(Lookup):
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         rhs, rhs_params = self.process_rhs(qn, connection)
-        params = rhs_params + lhs_params
+        params = tuple(rhs_params) + tuple(lhs_params)
         return 'JSON_CONTAINS({}, {})'.format(rhs, lhs), params
 
 
@@ -83,7 +83,7 @@ class JSONContains(JSONLookupMixin, Lookup):
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         rhs, rhs_params = self.process_rhs(qn, connection)
-        params = lhs_params + rhs_params
+        params = tuple(lhs_params) + tuple(rhs_params)
         return 'JSON_CONTAINS({}, {})'.format(lhs, rhs), params
 
 
@@ -101,7 +101,7 @@ def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         key_name = self.rhs
         path = '$.{}'.format(json.dumps(key_name))
-        params = lhs_params + [path]
+        params = tuple(lhs_params) + (path,)
         return "JSON_CONTAINS_PATH({}, 'one', %s)".format(lhs), params
 
 
@@ -120,11 +120,11 @@ class JSONHasKeys(JSONSequencesMixin, Lookup):
 
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
-        paths = [
+        paths = tuple(
             '$.{}'.format(json.dumps(key_name))
             for key_name in self.rhs
-        ]
-        params = lhs_params + paths
+        )
+        params = tuple(lhs_params) + paths
 
         sql = ['JSON_CONTAINS_PATH(', lhs, ", 'all', "]
         sql.append(', '.join('%s' for _ in paths))
@@ -137,11 +137,11 @@ class JSONHasAnyKeys(JSONSequencesMixin, Lookup):
 
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
-        paths = [
+        paths = tuple(
             '$.{}'.format(json.dumps(key_name))
             for key_name in self.rhs
-        ]
-        params = lhs_params + paths
+        )
+        params = tuple(lhs_params) + paths
 
         sql = ['JSON_CONTAINS_PATH(', lhs, ", 'one', "]
         sql.append(', '.join('%s' for _ in paths))
@@ -169,7 +169,7 @@ def get_prep_lookup(self):
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         rhs, rhs_params = self.process_rhs(qn, connection)
-        params = lhs_params + rhs_params
+        params = tuple(lhs_params) + tuple(rhs_params)
         # Put rhs on the left since that's the order FIND_IN_SET uses
         return 'FIND_IN_SET(%s, %s)' % (rhs, lhs), params
 
@@ -187,5 +187,5 @@ class DynColHasKey(Lookup):
     def as_sql(self, qn, connection):
         lhs, lhs_params = self.process_lhs(qn, connection)
         rhs, rhs_params = self.process_rhs(qn, connection)
-        params = lhs_params + rhs_params
+        params = tuple(lhs_params) + tuple(rhs_params)
         return 'COLUMN_EXISTS(%s, %s)' % (lhs, rhs), params
-Original file line number
+Diff line change
@@ Expand Up / @@ -10,6 +10,8 @@ Pending @@
     * Update Python support to 3.5-3.7, as 3.4 has reached its end of life.
+    * Always cast SQL params to tuples in ORM code.
 .1.0 (2019-05-17)
     ------------------
@@ Expand Down @@
Original file line number	Diff line number	Diff line change
Expand Up		@@ -64,4 +64,4 @@ def as_sql(self, compiler, connection, function=None, template=None):

		sql.append(")")

		return "".join(sql), params
		return "".join(sql), tuple(params)