mirror of https://github.com/django/django.git
Moved indexes in ArrayField's Index and Slice transforms to SQL params.
Follow up to 7deeabc7c7
.
These lookups aren't vulnerable to SQL injection because both accept
only integer indexes. It is a part of good practices.
This commit is contained in:
parent
0e02e496cd
commit
05964b2198
|
@ -262,7 +262,7 @@ class IndexTransform(Transform):
|
|||
|
||||
def as_sql(self, compiler, connection):
|
||||
lhs, params = compiler.compile(self.lhs)
|
||||
return '%s[%s]' % (lhs, self.index), params
|
||||
return '%s[%%s]' % lhs, params + [self.index]
|
||||
|
||||
@property
|
||||
def output_field(self):
|
||||
|
@ -288,7 +288,7 @@ class SliceTransform(Transform):
|
|||
|
||||
def as_sql(self, compiler, connection):
|
||||
lhs, params = compiler.compile(self.lhs)
|
||||
return '%s[%s:%s]' % (lhs, self.start, self.end), params
|
||||
return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
|
||||
|
||||
|
||||
class SliceTransformFactory:
|
||||
|
|
Loading…
Reference in New Issue