Moved indexes in ArrayField's Index and Slice transforms to SQL params.

Follow up to 7deeabc7c7526786df6894429ce89a9c4b614086. These lookups aren't vulnerable to SQL injection because both accept only integer indexes. It is a part of good practices.
author: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-08-01 11:48:58 +0200
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2019-08-05 14:16:35 +0200
commit: 05964b2198e53a8d66e34d83d9123e3051720b28 (patch)
tree: 76accbe25632379e0fce75642b1a9b7332c5cfdf /django/contrib/postgres/fields/array.py
parent: 0e02e496cdc75741a789f8694f66e776bb8214f1 (diff)
download: django-05964b2198e53a8d66e34d83d9123e3051720b28.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/django/contrib/postgres/fields/array.py b/django/contrib/postgres/fields/array.py
index a344cccbcc..f85a280b61 100644
--- a/django/contrib/postgres/fields/array.py
+++ b/django/contrib/postgres/fields/array.py
@@ -262,7 +262,7 @@ class IndexTransform(Transform):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return '%s[%s]' % (lhs, self.index), params
+        return '%s[%%s]' % lhs, params + [self.index]
 
     @property
     def output_field(self):
@@ -288,7 +288,7 @@ class SliceTransform(Transform):
 
     def as_sql(self, compiler, connection):
         lhs, params = compiler.compile(self.lhs)
-        return '%s[%s:%s]' % (lhs, self.start, self.end), params
+        return '%s[%%s:%%s]' % lhs, params + [self.start, self.end]
 
 
 class SliceTransformFactory:
author	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-08-01 11:48:58 +0200
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2019-08-05 14:16:35 +0200
commit	05964b2198e53a8d66e34d83d9123e3051720b28 (patch)
tree	76accbe25632379e0fce75642b1a9b7332c5cfdf /django/contrib/postgres/fields/array.py
parent	0e02e496cdc75741a789f8694f66e776bb8214f1 (diff)
download	django-05964b2198e53a8d66e34d83d9123e3051720b28.tar.gz