use psycopg's SQL quoting where possible

Use the SQL formatting supplied with psycopg whenever the query needs to be put together from snippets.
2026-03-12 05:44:06 +00:00 · 2021-07-12 22:05:22 +02:00
parent 6f6681ce67
commit 14f777da18
5 changed files with 58 additions and 42 deletions
--- a/nominatim/tools/freeze.py
+++ b/nominatim/tools/freeze.py
@@ -3,6 +3,8 @@ Functions for removing unnecessary data from the database.
 """
 from pathlib import Path

+from psycopg2 import sql as pysql
+
 UPDATE_TABLES = [
    'address_levels',
    'gb_postcode',
@@ -21,11 +23,11 @@ def drop_update_tables(conn):
    """ Drop all tables only necessary for updating the database from
        OSM replication data.
    """
-
-    where = ' or '.join(["(tablename LIKE '{}')".format(t) for t in UPDATE_TABLES])
+    parts = (pysql.SQL("(tablename LIKE {})").format(pysql.Literal(t)) for t in UPDATE_TABLES)

    with conn.cursor() as cur:
-        cur.execute("SELECT tablename FROM pg_tables WHERE " + where)
+        cur.execute(pysql.SQL("SELECT tablename FROM pg_tables WHERE ")
+                    + pysql.SQL(' or ').join(parts))
        tables = [r[0] for r in cur]

        for table in tables: