Mercurial Repositories > eric / file diff

--- a/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py	Tue Jan 16 14:35:46 2024 +0100
+++ b/src/eric7/Plugins/CheckerPlugins/CodeStyleChecker/Security/Checks/injectionSql.py	Tue Jan 16 18:24:06 2024 +0100
@@ -82,8 +82,18 @@
         # Hierarchy for "".format() is Wrapper -> Call -> Attribute -> Str
         wrapper = node._securityParent._securityParent._securityParent
     elif hasattr(ast, "JoinedStr") and isinstance(node._securityParent, ast.JoinedStr):
-        statement = node.value
-        wrapper = node._securityParent._securityParent
+        substrings = [
+            child
+            for child in node._securityParent.values
+            if isinstance(child, ast.Constant) and isinstance(node.value, str)
+        ]
+        # JoinedStr consists of list of Constant and FormattedValue
+        # instances. Let's perform one test for the whole string
+        # and abandon all parts except the first one to raise one
+        # failed test instead of many for the same SQL statement.
+        if substrings and node == substrings[0]:
+            statement = "".join([str(child.value) for child in substrings])
+            wrapper = node._securityParent._securityParent
 
     if isinstance(wrapper, ast.Call):  # wrapped in "execute" call?
         names = ["execute", "executemany"]