Add Parametrized query support for SELECTs and EXPLAINs #1725
Conversation
|
Hi! Thanks for PR |
|
Regarding refactoring insert and update statements - seems like good idea, if you could tackle it - would be great |
|
@abondar Thank you! I updated the pyproject.toml with the new pypika-tortoise version and ran |
Not sure how busy my day is going to be today, but I'll try to get it in later today or tomorrow 👍 |
|
seems like there are some errors from ruff. I'll get those fixed as well |
|
If it's not too convoluted to describe - can you please share how does it help you? :) Is it just about security concerns, as you have public APIs? Or it gives you some kind of new possibilities? |
Yeah, it is mostly about security. We have an api that allows rich filtering of data and we do this with tortoise's Q expressions. It is an internal only tool, but I would have more peace of mind with prepared statements for all user input :) |
|
While fixing the code to make the ci tests pass, I noticed that there was still something wrong with the pypika ValueWrapper implementation, which I have addressed in this PR. I have also looked into refactoring the insert and update queries, but I came to the conclusion that its best to leave them as is, because using the parametrized ValueWrappers there as well would make caching the queries impossible. The approach we have there right now with caclulating the queries upfront and only adjusting the values supplied when executing it is already optimal i think. |
|
@larsschwegmann I released 0.2.1 version of pypika |
|
There seems to be an issue with the extraction of Parameter values when nested inside pypika |
|
@larsschwegmann any chances you can make your PR work locally with locally built version of pypika? So that we publish another version when we are sure it work properly for all testcases? I think it would be even okay to vendor this version of lib in intermediate commit in this PR, if you are having issues with running all testscases locally |
I'll try that 👍 |
This PR depends on the changes from this PR on tortoise/pypika-tortoise, which does not have a release yet.
So this cannot be merged until then.
If you have feedback on the idea i would be happy to hear it!
Description
This PR adds parametrization to SELECT and EXPLAIN queries for filter expressions by utilizing the ListParameter introduced in the tortoise-pypika PR mentioned above.
It allows us to get this functionality with minimal changes to the filter expressions, because all ValueWrappers in the query get support for Parametrization automatically when a parameter kwarg is supplied to pypika
.get_sql()method on aQueryBuilder.That way, we don't have to keep track of all parameters during query building.
I left the INSERT and UPDATE query building of the executor untouched, so that works like before. It could be refactored to use the ListParameter type as well.
Motivation and Context
Parametrization (as in prepared statements) provides better protection against SQL injection attacks. It is defined as an important goal for tortoises 1.0 roadmap -> Issue
How Has This Been Tested?
Unit tests are passing.
Checklist: