Raw queries can now be parameterised

dantownsend · dantownsend · commit 00630934a385 · 2019-09-13T13:03:11.000+01:00
diff --git a/docs/src/piccolo/query_types/raw.rst b/docs/src/piccolo/query_types/raw.rst
@@ -11,4 +11,12 @@ Should you need to, you can execute raw SQL.
     [{'name': 'Pythonistas', 'manager': 1, 'popularity': 1000, 'id': 1},
         {'name': 'Rustaceans', 'manager': 2, 'popularity': 500, 'id': 2}]
 
-.. warning:: Be careful to avoid SQL injection attacks. Don't substitute user submitted data into your SQL strings.
+It's recommended that you parameterise any values. Use curly braces ``{}`` as
+placeholders:
+
+.. code-block:: python
+
+    >>> Band.raw('select * from band where name = {}', 'Pythonistas').run_sync()
+    [{'name': 'Pythonistas', 'manager': 1, 'popularity': 1000, 'id': 1}]
+
+.. warning:: Be careful to avoid SQL injection attacks. Don't add any user submitted data into your SQL strings, unless it's parameterised.
diff --git a/piccolo/query/methods/raw.py b/piccolo/query/methods/raw.py
@@ -5,10 +5,6 @@
 
 
 class Raw(Query):
-
     @property
     def querystring(self) -> QueryString:
         return self.base
-
-    def __str__(self):
-        return self.querystring.__str__()
diff --git a/piccolo/query/methods/select.py b/piccolo/query/methods/select.py
@@ -134,6 +134,8 @@ def querystring(self) -> QueryString:
 
         #######################################################################
 
+        # If no columns have been specified for selection, select all columns
+        # on the table:
         if len(self.columns_delegate.selected_columns) == 0:
             self.columns_delegate.selected_columns = self.table._meta.columns
 
diff --git a/piccolo/table.py b/piccolo/table.py
@@ -272,13 +272,17 @@ def insert(cls, *rows: "Table") -> Insert:
         return query
 
     @classmethod
-    def raw(cls, sql: str) -> Raw:
+    def raw(cls, sql: str, *args: t.Any) -> Raw:
         """
         Execute raw SQL queries on the underlying engine - use with caution!
 
-        await Band.raw('select * from foo')
+        await Band.raw('select * from band')
+
+        Or passing in parameters:
+
+        await Band.raw("select * from band where name = {}", 'Pythonistas')
         """
-        return Raw(table=cls, base=QueryString(sql))
+        return Raw(table=cls, base=QueryString(sql, *args))
 
     @classmethod
     def select(cls) -> Select:
diff --git a/tests/table/test_raw.py b/tests/table/test_raw.py
@@ -0,0 +1,27 @@
+from ..base import DBTestCase
+from ..example_project.tables import Band, Concert
+
+
+class TestRaw(DBTestCase):
+    def test_raw_without_args(self):
+        self.insert_row()
+
+        response = Band.raw("select * from band").run_sync()
+
+        self.assertDictEqual(
+            response[0],
+            {"id": 1, "name": "Pythonistas", "manager": 1, "popularity": 1000},
+        )
+
+    def test_raw_with_args(self):
+        self.insert_rows()
+
+        response = Band.raw(
+            "select * from band where name = {}", "Pythonistas"
+        ).run_sync()
+
+        self.assertTrue(len(response) == 1)
+        self.assertDictEqual(
+            response[0],
+            {"id": 1, "name": "Pythonistas", "manager": 1, "popularity": 1000},
+        )
