Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support cursor.execute(psycopg2.sql.Composable) #1029

Merged
merged 1 commit into from
Jun 28, 2022
Merged

Support cursor.execute(psycopg2.sql.Composable) #1029

merged 1 commit into from
Jun 28, 2022

Conversation

andersk
Copy link
Contributor

@andersk andersk commented Jun 28, 2022

In addition to str, PostgreSQL cursors accept the psycopg2.sql.Composable type, which is useful for guarding against SQL injections when building raw queries that can’t be parameterized in the normal way (e.g. interpolating identifiers).

In order to avoid reintroducing a dependency on psycopg2, we define a Protocol that matches psycopg2.sql.Composable.

Documentation: https://www.psycopg.org/docs/sql.html
Related: python/typeshed#7494

@andersk andersk mentioned this pull request Jun 28, 2022
Merged
12 tasks
@andersk andersk force-pushed the execute-psycopg2-composable branch 3 times, most recently from 50254f3 to a4c8ebf Compare June 28, 2022 19:18
@PIG208
Copy link
Contributor

PIG208 commented Jun 28, 2022

Strictly speaking, should we also account for other backends that might not support Composable?

@andersk
Copy link
Contributor Author

andersk commented Jun 28, 2022
edited
Loading

@PIG208 Erring on the side of accepting things that might or might not be accepted at runtime is a fine way for type stubs to account for that (and probably the only way in this case).

sobolevn
sobolevn reviewed Jun 28, 2022
View reviewed changes
Copy link
Member

@sobolevn sobolevn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! 👍

@andersk andersk force-pushed the execute-psycopg2-composable branch from a4c8ebf to 1cf8dfc Compare June 28, 2022 19:54
@andersk
Copy link
Contributor Author

andersk commented Jun 28, 2022

Updated.

sobolevn
sobolevn reviewed Jun 28, 2022
View reviewed changes
django-stubs/db/backends/utils.pyi
@@ -13,6 +27,14 @@ else:

logger: Any

# Protocol matching psycopg2.sql.Composable, to avoid depending psycopg2
class _Composable(Protocol):
Copy link
Member

@sobolevn sobolevn Jun 28, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we depend on types-psycopg2? What do you think?
Refs #114

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A risk in that approach is that typeshed packages are obsoleted when the corresponding upstream packages add type annotations. In fact, psycopg3 (psycopg on PyPI) already has upstream type annotations, and we’ll want to support its version of Composable, which satisfies the same protocol.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks!

sobolevn
sobolevn approved these changes Jun 28, 2022
View reviewed changes
Copy link
Member

@sobolevn sobolevn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 👾 ✨

@sobolevn
Copy link
Member

Can you please resolve a conflict? I've merged something that broke this file django-stubs/db/backends/utils.pyi

@andersk
Support cursor.execute(psycopg2.sql.Composable)
376406c 
In addition to str, PostgreSQL cursors accept the
psycopg2.sql.Composable type, which is useful for guarding against SQL
injections when building raw queries that can’t be parameterized in
the normal way (e.g. interpolating identifiers).

In order to avoid reintroducing a dependency on psycopg2, we define a
Protocol that matches psycopg2.sql.Composable.

Documentation: https://www.psycopg.org/docs/sql.html
Related: python/typeshed#7494

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
@andersk andersk force-pushed the execute-psycopg2-composable branch from 1cf8dfc to 376406c Compare June 28, 2022 20:31
@andersk
Copy link
Contributor Author

andersk commented Jun 28, 2022

No problem, resolved.

sobolevn
sobolevn approved these changes Jun 28, 2022
View reviewed changes
Copy link
Member

@sobolevn sobolevn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again 😊

@sobolevn sobolevn merged commit 214b0c7 into typeddjango:master Jun 28, 2022
@andersk andersk deleted the execute-psycopg2-composable branch June 28, 2022 20:44
@andersk andersk mentioned this pull request Sep 15, 2023
Merged
@flaeppe flaeppe mentioned this pull request Oct 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sobolevn sobolevn sobolevn approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@andersk @PIG208 @sobolevn