pythongh-118928: sqlite3: disallow sequences of params with named pla…

…ceholders Follow-up of pythongh-101693.
erlend-aasland · May 10, 2024 · b66f04a · b66f04a
1 parent aa36f83
commit b66f04a
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 9 deletions.
diff --git a/Doc/whatsnew/3.14.rst b/Doc/whatsnew/3.14.rst
@@ -86,6 +86,12 @@ New Modules
 Improved Modules
 ================
 
+sqlite3
+-------
+
+Disallow using a sequence of params with named placeholders.
+(Contributed by Erlend E. Aasland in :gh:`118928` and :gh:`101693`.)
+
 
 Optimizations
 =============

diff --git a/Lib/test/test_sqlite3/test_dbapi.py b/Lib/test/test_sqlite3/test_dbapi.py
@@ -889,9 +889,8 @@ def test_execute_named_param_and_sequence(self):
         msg = "Binding.*is a named parameter"
         for query, params in dataset:
             with self.subTest(query=query, params=params):
-                with self.assertWarnsRegex(DeprecationWarning, msg) as cm:
+                with self.assertRaisesRegex(sqlite.ProgrammingError, msg) as cm:
                     self.cu.execute(query, params)
-                self.assertEqual(cm.filename,  __file__)
 
     def test_execute_indexed_nameless_params(self):
         # See gh-117995: "'?1' is considered a named placeholder"

diff --git a/Misc/NEWS.d/next/Library/2024-05-10-22-36-01.gh-issue-118928.IW7Ukv.rst b/Misc/NEWS.d/next/Library/2024-05-10-22-36-01.gh-issue-118928.IW7Ukv.rst
@@ -0,0 +1,2 @@
+Disallow using a sequence of params with named placeholders in
+:mod:`sqlite3` queries. Patch by Erlend E. Aasland.
diff --git a/Modules/_sqlite/cursor.c b/Modules/_sqlite/cursor.c
@@ -670,15 +670,10 @@ bind_parameters(pysqlite_state *state, pysqlite_Statement *self,
         for (i = 0; i < num_params; i++) {
             const char *name = sqlite3_bind_parameter_name(self->st, i+1);
             if (name != NULL && name[0] != '?') {
-                int ret = PyErr_WarnFormat(PyExc_DeprecationWarning, 1,
+                PyErr_Format(state->ProgrammingError,
                         "Binding %d ('%s') is a named parameter, but you "
                         "supplied a sequence which requires nameless (qmark) "
-                        "placeholders. Starting with Python 3.14 an "
-                        "sqlite3.ProgrammingError will be raised.",
-                        i+1, name);
-                if (ret < 0) {
-                    return;
-                }
+                        "placeholders.", i+1, name);
             }
 
             if (PyTuple_CheckExact(parameters)) {