SQL.execute escapes collation-name in ORDER BY clauses
dmalan opened this issue · 1 comments
dmalan commented
- https://www.sqlite.org/lang_select.html#orderby
- https://www.reddit.com/r/cs50/comments/g8nxh6/dbexecute_parameter_remove_quoted/
Unfortunately, sqlparse doesn't give us much contextual information to distinguish literals from identifiers. For instance, SELECT ? FROM ? ORDER BY ?
parses as:
$ python3
>>> import sqlparse
>>> statements = sqlparse.parse(sqlparse.format("SELECT ? FROM ? ORDER BY ?"))
>>> for token in statements[0].flatten():
... print(token.__repr__())
...
<DML 'SELECT' at 0x7F9D5A99CDE0>
<Whitespace ' ' at 0x7F9D5A99CE50>
<Placeholder '?' at 0x7F9D5A99CEC0>
<Whitespace ' ' at 0x7F9D5A99CF30>
<Keyword 'FROM' at 0x7F9D5A99CAD0>
<Whitespace ' ' at 0x7F9D5A926050>
<Placeholder '?' at 0x7F9D5A9260C0>
<Whitespace ' ' at 0x7F9D5A926130>
<Keyword 'ORDER ...' at 0x7F9D5A9261A0>
<Whitespace ' ' at 0x7F9D5A926210>
<Placeholder '?' at 0x7F9D5A926280>
dmalan commented
Nixing as unsupported in libraries like pysqlite too.