Improve the SQL queries to the database backend with SQL Composition

Question

Improve the SQL queries to the database backend with SQL Composition

CrsiX opened this issue 4 years ago · comments

Currently, some of the queries which need variable column names are produced like this:

if column not in self._ALLOWED_UPDATES:
    raise RuntimeError("Operation not allowed")

_execute(
    "UPDATE users SET {}=%s WHERE id=%s".format(column),
    (value, self._id)
)

This is safe as far as _ALLOWED_UPDATES is a static list of strings (white-list). But this seems to be no pretty good style. Other database modules (e.g. psycopg2) seem to have "Literals" for this.

Crsi · Answer 1 · Sat Oct 17 2020 22:47:49 GMT+0800 (China Standard Time)

This issue has been addressed in the dbhelper module using the new DATABASE_SCHEMA. It provides a handy way to generate the database automatically and is able to verify incoming calls to the database, as long as _execute is not used directly.