Improve the SQL queries to the database backend with SQL Composition
CrsiX opened this issue · comments
Currently, some of the queries which need variable column names are produced like this:
if column not in self._ALLOWED_UPDATES:
raise RuntimeError("Operation not allowed")
_execute(
"UPDATE users SET {}=%s WHERE id=%s".format(column),
(value, self._id)
)
This is safe as far as _ALLOWED_UPDATES
is a static list of strings (white-list). But this seems to be no pretty good style. Other database modules (e.g. psycopg2
) seem to have "Literals" for this.
This issue has been addressed in the dbhelper
module using the new DATABASE_SCHEMA
. It provides a handy way to generate the database automatically and is able to verify incoming calls to the database, as long as _execute
is not used directly.