Parametrize related field queries (#1797)

* Refactor to use get_parameterized_sql from pypika

* Use parametrized queries when fetching related fields

Author: henadzit

CHANGELOG.rst

@@ -19,6 +19,7 @@ Fixed
 Changed
 ^^^^^^^
 - Parametrizes UPDATE, DELETE, bulk update and create operations (#1785)
+- Parametrizes related field queries (#1797)
 
 0.22.1
 ------

poetry.lock

@@ -36,7 +36,7 @@ classifiers = [
 
 [tool.poetry.dependencies]
 python = "^3.8"
-pypika-tortoise = "^0.3.1"
+pypika-tortoise = "^0.3.2"
 iso8601 = "^2.1.0"
 aiosqlite = ">=0.16.0, <0.21.0"
 pytz = "*"

pyproject.toml

@@ -21,7 +21,6 @@
 
 from pypika import JoinType, Parameter, Table
 from pypika.queries import QueryBuilder
-from pypika.terms import Parameterizer
 
 from tortoise.exceptions import OperationalError
 from tortoise.expressions import Expression, ResolveContext
@@ -192,10 +191,6 @@ async def _process_insert_result(self, instance: "Model", results: Any) -> None:
     def parameter(self, pos: int) -> Parameter:
         return Parameter(idx=pos + 1)
 
-    @classmethod
-    def parameterizer(cls) -> Parameterizer:
-        return Parameterizer()
-
     async def execute_insert(self, instance: "Model") -> None:
         if not instance._custom_generated_pk:
             values = [
@@ -455,7 +450,7 @@ async def _prefetch_m2m_relation(
             if modifier.having_criterion:
                 query = query.having(modifier.having_criterion)
 
-        _, raw_results = await self.db.execute_query(query.get_sql())
+        _, raw_results = await self.db.execute_query(*query.get_parameterized_sql())
         relations: List[Tuple[Any, Any]] = []
         related_object_list: List["Model"] = []
         model_pk, related_pk = self.model._meta.pk, field_object.related_model._meta.pk

tortoise/backends/base/executor.py

@@ -7,6 +7,8 @@
 import psycopg.pq
 import psycopg.rows
 import psycopg_pool
+from pypika.dialects.postgresql import PostgreSQLQuery, PostgreSQLQueryBuilder
+from pypika.terms import Parameterizer
 
 import tortoise.backends.base.client as base_client
 import tortoise.backends.base_postgres.client as postgres_client
@@ -28,7 +30,26 @@ async def release(self, connection: psycopg.AsyncConnection):
         await self.putconn(connection)
 
 
+class PsycopgSQLQuery(PostgreSQLQuery):
+    @classmethod
+    def _builder(cls, **kwargs) -> "PostgreSQLQueryBuilder":
+        return PsycopgSQLQueryBuilder(**kwargs)
+
+
+class PsycopgSQLQueryBuilder(PostgreSQLQueryBuilder):
+    """
+    Psycopg opted to use a custom parameter placeholder, so we need to override the default
+    """
+
+    def get_parameterized_sql(self, **kwargs) -> typing.Tuple[str, list]:
+        parameterizer = kwargs.pop(
+            "parameterizer", Parameterizer(placeholder_factory=lambda _: "%s")
+        )
+        return super().get_parameterized_sql(parameterizer=parameterizer, **kwargs)
+
+
 class PsycopgClient(postgres_client.BasePostgresClient):
+    query_class: typing.Type[PsycopgSQLQuery] = PsycopgSQLQuery
     executor_class: typing.Type[executor.PsycopgExecutor] = executor.PsycopgExecutor
     schema_generator: typing.Type[PsycopgSchemaGenerator] = PsycopgSchemaGenerator
     _pool: typing.Optional[AsyncConnectionPool] = None

tortoise/backends/psycopg/client.py

@@ -2,7 +2,7 @@
 
 from typing import Optional
 
-from pypika import Parameter, Parameterizer
+from pypika import Parameter
 
 from tortoise import Model
 from tortoise.backends.base_postgres.executor import BasePostgresExecutor
@@ -26,7 +26,3 @@ async def _process_insert_result(
 
     def parameter(self, pos: int) -> Parameter:
         return Parameter("%s")
-
-    @classmethod
-    def parameterizer(cls) -> Parameterizer:
-        return Parameterizer(placeholder_factory=lambda _: "%s")

tortoise/backends/psycopg/executor.py

@@ -1,6 +1,6 @@
 import datetime
-from decimal import Decimal
 import sqlite3
+from decimal import Decimal
 from typing import Optional, Type, Union
 
 import pytz

tortoise/backends/sqlite/executor.py

@@ -205,7 +205,8 @@ def __init__(self, query: "AwaitableQuery") -> None:
 
     def get_sql(self, **kwargs: Any) -> str:
         self.query._choose_db_if_not_chosen()
-        return self.query._make_query(**kwargs)[0]
+        self.query._make_query()
+        return self.query.query.get_parameterized_sql(**kwargs)[0]
 
     def as_(self, alias: str) -> "Selectable":  # type: ignore
         self.query._choose_db_if_not_chosen()

tortoise/expressions.py

@@ -184,7 +184,9 @@ async def add(self, *instances: MODEL, using_db: "Optional[BaseDBAsyncClient]" =
         criterion = forward_field == pks_f[0] if len(pks_f) == 1 else forward_field.isin(pks_f)
         select_query = select_query.where(criterion)
 
-        _, already_existing_relations_raw = await db.execute_query(str(select_query))
+        _, already_existing_relations_raw = await db.execute_query(
+            *select_query.get_parameterized_sql()
+        )
         already_existing_forward_pks = {
             related_pk_formatting_func(r[forward_key], self.instance)
             for r in already_existing_relations_raw
@@ -194,7 +196,7 @@ async def add(self, *instances: MODEL, using_db: "Optional[BaseDBAsyncClient]" =
             query = db.query_class.into(through_table).columns(forward_field, backward_field)
             for pk_f in pks_f_to_insert:
                 query = query.insert(pk_f, pk_b)
-            await db.execute_query(str(query))
+            await db.execute_query(*query.get_parameterized_sql())
 
     async def clear(self, using_db: "Optional[BaseDBAsyncClient]" = None) -> None:
         """
@@ -237,7 +239,7 @@ async def _remove_or_clear(
                     [related_pk_formatting_func(i.pk, i) for i in instances]
                 )
         query = db.query_class.from_(through_table).where(condition).delete()
-        await db.execute_query(str(query))
+        await db.execute_query(*query.get_parameterized_sql())
 
 
 class RelationalField(Field[MODEL]):