summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMariusz Felisiak <felisiak.mariusz@gmail.com>2019-08-01 11:48:58 +0200
committerMariusz Felisiak <felisiak.mariusz@gmail.com>2019-08-05 14:16:35 +0200
commit05964b2198e53a8d66e34d83d9123e3051720b28 (patch)
tree76accbe25632379e0fce75642b1a9b7332c5cfdf
parent0e02e496cdc75741a789f8694f66e776bb8214f1 (diff)
Moved indexes in ArrayField's Index and Slice transforms to SQL params.
Follow up to 7deeabc7c7526786df6894429ce89a9c4b614086. These lookups aren't vulnerable to SQL injection because both accept only integer indexes. It is a part of good practices.
-rw-r--r--django/contrib/postgres/fields/array.py4
1 files changed, 2 insertions, 2 deletions
diff --git a/django/contrib/postgres/fields/array.py b/django/contrib/postgres/fields/array.py
index a344cccbcc..f85a280b61 100644
--- a/django/contrib/postgres/fields/array.py
+++ b/django/contrib/postgres/fields/array.py
@@ -262,7 +262,7 @@ class IndexTransform(Transform):
def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs)
- return '%s[%s]' % (lhs, self.index), params
+ return '%s[%%s]' % lhs, params + [self.index]
@property
def output_field(self):
@@ -288,7 +288,7 @@ class SliceTransform(Transform):
def as_sql(self, compiler, connection):
lhs, params = compiler.compile(self.lhs)
- return '%s[%s:%s]' % (lhs, self.start, self.end), params
+ return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
class SliceTransformFactory: