Skip to content

Release 0.1.8

Latest
Latest
Compare
Choose a tag to compare
@sripathikrishnan sripathikrishnan released this 28 May 00:43
· 15 commits to master since this release
v0.1.8
b6bfb1a

Upgrade Severity: Critical

This release fixes a critical bug #30. If your sql template uses string concatenation or other python operators, it can lead to sql injection.

This release is available on PyPI - https://pypi.org/project/jinjasql/0.1.8/

All Fixes:

  1. JinjaSQL fails to bind parameters when an expression is used. See #30
  2. prepare_query now returns either a list or a dict. Earlier, it would return an OrderedDict or OrederedDict.values, and this broke certain database drivers which were expecting a plain list or dict. See 543810a
  3. Prevent infinite loops when the same parameter name is bound multiple times with different values - like an in clause. #16 and #17. Credit @benrudolph
  4. Support of asyncpg library, which expects bind parameters using the syntax $1, $2 etc. Credit @a.zubarev. See fc3ce9d
  5. Allow prepare_query accept a precompiled jinja2 Template object in addition to a string. Credit @Photonios See 30504f4
  6. Dropping support for python 3.4. It will likely still work, but we are no longer supporting it
  7. Tests are now run using github actions
Assets 2
Loading