fix use of parameters arg in Cursor.execute

james-willis · james-willis · commit 478f9ac95d3b · 2025-07-29T13:08:41.000-07:00
There is still a problem - we don't sanitize these inputs even though users would assume that we do
diff --git a/wherobots/db/cursor.py b/wherobots/db/cursor.py
@@ -81,7 +81,7 @@ def execute(self, operation: str, parameters: Dict[str, Any] = None) -> None:
         self.__description = None
 
         sql = (
-            operation.replace("{", "{{").replace("}", "}}").format(**(parameters or {}))
+            operation.format(**(parameters or {}))
         )
         self.__current_execution_id = self.__exec_fn(sql, self.__on_execution_result)
 

Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ def execute(self, operation: str, parameters: Dict[str, Any] = None) -> None:`
`81`	`81`	`self.__description = None`
`82`	`82`
`83`	`83`	`sql = (`
`84`		`- operation.replace("{", "{{").replace("}", "}}").format(**(parameters or {}))`
	`84`	`+ operation.format(**(parameters or {}))`
`85`	`85`	`)`
`86`	`86`	`self.__current_execution_id = self.__exec_fn(sql, self.__on_execution_result)`
`87`	`87`