Template Language for SQL with Automatic Bind Parameter Extraction
This release fixes a critical bug https://github.com/hashedin/jinjasql/issues/30. If your sql template uses string concatenation or other python operators, it can lead to sql injection.
This release is available on PyPI - https://pypi.org/project/jinjasql/0.1.8/
Fixes an issue with |inclause
filter when a different parameter formatting style is requested. See https://github.com/hashedin/jinjasql/pull/6
Credit: @kxepal
The major feature is support for multiple param styles. Per PEP-249, database libraries can support 5 different styles of parameter types. These are :
...WHERE name=%s
. This is the default style....WHERE name=?
...WHERE name=:1
...WHERE name=:name
...WHERE name=%(name)s
You can specify the param_style by passing it to the constructor like this
jinja = JinjaSql(param_style='qmark')
Note that named
and pyformat
are special. The bind_parameters
object returned by prepare_query
will be a dictionary. For all other param styles, the bind_parameters
object will be a list.
Other Changes
ordereddict
is not available in python 2.6.x. Although workaround exist to add orderedict
to python 2.6.x, the special handling wasn't worth it. If required, this can be added back fairly easily.This release supports passing django request object as a context parameter to prepare_query
With this release, we are using Jinja's autoescape feature. As a result, the output of a macro is now considered SQL safe. This eliminates the need to manually invoke the |sqlsafe filter.
Earlier:
{% macro week(value) -%}
some_sql_function({{value}})
{%- endmacro %}
SELECT 'x' from dual WHERE created_date > {{ week(request.start_date) | sqlsafe }}
Now:
{% macro week(value) -%}
some_sql_function({{value}})
{%- endmacro %}
SELECT 'x' from dual WHERE created_date > {{ week(request.start_date) }}
Notice that you don't need |sqlsafe filter when invoking the week macro.