From 05964b2198e53a8d66e34d83d9123e3051720b28 Mon Sep 17 00:00:00 2001
From: Mariusz Felisiak <felisiak.mariusz@gmail.com>
Date: Thu, 1 Aug 2019 11:48:58 +0200
Subject: [PATCH] Moved indexes in ArrayField's Index and Slice transforms to
 SQL params.

Follow up to 7deeabc7c7526786df6894429ce89a9c4b614086.

These lookups aren't vulnerable to SQL injection because both accept
only integer indexes. It is a part of good practices.
---
 django/contrib/postgres/fields/array.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/django/contrib/postgres/fields/array.py b/django/contrib/postgres/fields/array.py
index a344cccbcc..f85a280b61 100644
--- a/django/contrib/postgres/fields/array.py
+++ b/django/contrib/postgres/fields/array.py
@@ -262,7 +262,7 @@ class IndexTransform(Transform):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return '%s[%s]' % (lhs, self.index), params
+        return '%s[%%s]' % lhs, params + [self.index]
 
     @property
     def output_field(self):
@@ -288,7 +288,7 @@ class SliceTransform(Transform):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return '%s[%s:%s]' % (lhs, self.start, self.end), params
+        return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
 
 
 class SliceTransformFactory: