fix: Escaping in SQL templates for qmark parameter style

Author: m1so

deepnote_toolkit/sql/jinjasql_utils.py

@@ -20,13 +20,13 @@ def render_jinja_sql_template(template, param_style=None):
         str: The rendered SQL query.
     """
 
-    escaped_template = _escape_jinja_template(template)
-
     # Default to pyformat for backwards compatibility
     # Note: Some databases like Trino require "qmark" or "format" style
-    jinja_sql = JinjaSql(
-        param_style=param_style if param_style is not None else "pyformat"
-    )
+    effective_param_style = param_style if param_style is not None else "pyformat"
+
+    escaped_template = _escape_jinja_template(template, effective_param_style)
+
+    jinja_sql = JinjaSql(param_style=effective_param_style)
     parsed_content = jinja_sql.env.parse(escaped_template)
     required_variables = meta.find_undeclared_variables(parsed_content)
     jinja_sql_data = {
@@ -40,9 +40,14 @@ def _get_variable_value(variable_name):
     return getattr(__main__, variable_name)
 
 
-def _escape_jinja_template(template):
+def _escape_jinja_template(template, param_style: str = "pyformat"):
     # see https://github.com/sripathikrishnan/jinjasql/issues/28 and https://stackoverflow.com/q/8657508/2761695
     # we have to replace % by %% in the SQL query due to how SQL alchemy interprets %
-    # but only if the { is not preceded by { or followed by }, because those are jinja blocks
-    # we use lookbehind ?<= and lookahead ?= regex matchers to capture the { and } symbols
-    return re.sub(r"(?<=[^{])%(?=[^}])", "%%", template)
+    # but ONLY for param styles that use % (format and pyformat)
+    # For other param styles (qmark), % has no special meaning
+    # and should not be escaped (e.g., in date format strings like '%m-%d-%Y')
+    if param_style in ("format", "pyformat"):
+        # Only escape % if it's not part of a jinja block (not preceded by { or followed by })
+        # we use lookbehind ?<= and lookahead ?= regex matchers to capture the { and } symbols
+        return re.sub(r"(?<=[^{])%(?=[^}])", "%%", template)
+    return template

tests/unit/test_jinjasql_utils.py

@@ -89,6 +89,32 @@ def test_qmark_format(self):
         self.assertEqual(query.strip(), "SELECT * FROM users WHERE id = ?")
         self.assertEqual(bind_params, ["test"])
 
+    def test_qmark_escaping(self):
+        template = "SELECT date_format(TIMESTAMP '2022-10-20 05:10:00', '%m-%d-%Y %H')"
+
+        query, bind_params = render_jinja_sql_template(template, param_style="qmark")
+
+        self.assertEqual(query, template)
+        self.assertEqual(bind_params, [])
+
+    def test_pyformat_escaping(self):
+        query, bind_params = render_jinja_sql_template(
+            "SELECT '% character'",
+            param_style="pyformat",
+        )
+
+        self.assertEqual(query, "SELECT '%% character'")
+        self.assertEqual(bind_params, {})
+
+    def test_format_escaping(self):
+        query, bind_params = render_jinja_sql_template(
+            "SELECT '% character'",
+            param_style="format",
+        )
+
+        self.assertEqual(query, "SELECT '%% character'")
+        self.assertEqual(bind_params, [])
+
 
 if __name__ == "__main__":
     unittest.main()