BUG#37447394: Unable to escape a parameter marker (%s) used in a query that should not

be treated as a parameter marker.

This patch fixes this issue by adding proper regular expression checks to escape the `%s`
parameter marker when `%%s` is used in the query.

Change-Id: I31fce87821832cefa607105e8e0d20ca3be3f380

Author: SubCoder1

CHANGES.txt

@@ -15,6 +15,7 @@ v9.3.0
 - WL#16327: Remove Cursors Prepared Raw and Named Tuple
 - BUG#37541353: (Contribution) Fix typing annotation of MySQLConnectionAbstract's close function
 - BUG#37453587: Github links in PyPI project's pages do not work
+- BUG#37447394: Unable to escape a parameter marker (`%s`) used in a query that should not be treated as a parameter marker
 - BUG#37418436: Arbitrary File Read in MySQL Python Client library
 
 v9.2.0

mysql-connector-python/lib/mysql/connector/aio/cursor.py

@@ -410,6 +410,8 @@ async def _prepare_statement(
                     f"Could not process parameters: {type(params).__name__}({params}),"
                     " it must be of type list, tuple or dict"
                 )
+        # final statement with `%%s` should be replaced as `%s`
+        stmt = stmt.replace(b"%%s", b"%s")
 
         return stmt
 
@@ -1207,6 +1209,8 @@ async def execute(
             except UnicodeEncodeError as err:
                 raise ProgrammingError(str(err)) from err
 
+            # final statement with `%%s` should be replaced as `%s`
+            operation = operation.replace(b"%%s", b"%s")
             if b"%s" in operation:
                 # Convert %s to ? before sending it to MySQL
                 operation = re.sub(RE_SQL_FIND_PARAM, b"?", operation)

mysql-connector-python/lib/mysql/connector/cursor.py

@@ -95,7 +95,7 @@
     re.I | re.M | re.S,
 )
 RE_SQL_INSERT_VALUES = re.compile(r".*VALUES\s*(\(.+\)).*", re.I | re.M | re.S)
-RE_PY_PARAM = re.compile(b"(%s)")
+RE_PY_PARAM = re.compile(b"((?<!%)%s)")
 RE_PY_MAPPING_PARAM = re.compile(
     rb"""
     %
@@ -400,6 +400,8 @@ def execute(
                     " it must be of type list, tuple or dict"
                 )
 
+        # final statement with `%%s` should be replaced as `%s`
+        stmt = stmt.replace(b"%%s", b"%s")
         self._stmt_partitions = split_multi_statement(
             sql_code=stmt, map_results=map_results
         )
@@ -1235,6 +1237,8 @@ def execute(
             except UnicodeEncodeError as err:
                 raise ProgrammingError(str(err)) from err
 
+            # final statement with `%%s` should be replaced as `%s`
+            operation = operation.replace(b"%%s", b"%s")
             if b"%s" in operation:
                 # Convert %s to ? before sending it to MySQL
                 operation = re.sub(RE_SQL_FIND_PARAM, b"?", operation)

mysql-connector-python/lib/mysql/connector/cursor_cext.py

@@ -334,6 +334,9 @@ def execute(
                         "Not all parameters were used in the SQL statement"
                     )
 
+        # final statement with `%%s` should be replaced as `%s`
+        stmt = stmt.replace(b"%%s", b"%s")
+
         self._stmt_partitions = split_multi_statement(
             sql_code=stmt, map_results=map_results
         )
@@ -1121,6 +1124,8 @@ def execute(
             except UnicodeDecodeError as err:
                 raise ProgrammingError(str(err)) from err
 
+        # final statement with `%%s` should be replaced as `%s`
+        operation = operation.replace("%%s", "%s")
         if isinstance(params, dict):
             replacement_keys = re.findall(RE_SQL_PYTHON_CAPTURE_PARAM_NAME, operation)
             try:

mysql-connector-python/tests/test_bugs.py

@@ -8899,3 +8899,55 @@ def test_connection_timeout(self):
                 cnx.cmd_query("SELECT SLEEP(5)")
         except Exception as err:
             self.fail(err)
+
+
+class BugOra37447394(tests.MySQLConnectorTests):
+    """BUG#37447394: Unable to escape a parameter marker (`%s`) used in a query that should not be
+    treated as a parameter marker.
+
+    The `%s` parameter marker is not being escaped by using `%%s` in an SQL statement being passed
+    via the cursor's execute() method. This is required while passing a query like:
+    `select date_format(%s, "%Y-%m-%d %H:%i:%%s")`. Currently, the `%s` at the end of the query is
+    is not being escaped and is being treated like a parameter marker instead.
+
+    This patch fixes this issue by adding proper regular expression checks to escape the `%s` by
+    using `%%s`.
+    """
+
+    stmt = 'select date_format(%s, "%Y-%m-%d %H:%i:%%s")'
+    params = ("2017-06-15 12:20:23",)
+
+    @foreach_cnx()
+    def test_bug37447394(self):
+        try:
+            with self.cnx.cursor() as cur:
+                cur.execute(self.stmt, self.params)
+                self.assertEqual(cur.fetchone(), self.params)
+            with self.cnx.cursor(prepared=True) as cur:
+                cur.execute(self.stmt, self.params)
+                self.assertEqual(cur.fetchone(), self.params)
+        except Exception as err:
+            self.fail(err)
+
+
+class BugOra37447394_async(tests.MySQLConnectorAioTestCase):
+    """BUG#37447394: Unable to escape a parameter marker (`%s`) used in a query that should not be
+    treated as a parameter marker.
+
+    For more details check `test_bugs.BugOra37447394`.
+    """
+
+    stmt = 'select date_format(%s, "%Y-%m-%d %H:%i:%%s")'
+    params = ("2017-06-15 12:20:23", )
+
+    @foreach_cnx_aio()
+    async def test_bug37447394_async(self):
+        try:
+            async with await self.cnx.cursor() as cur:
+                await cur.execute(self.stmt, self.params)
+                self.assertEqual(await cur.fetchone(), self.params)
+            async with await self.cnx.cursor(prepared=True) as cur:
+                await cur.execute(self.stmt, self.params)
+                self.assertEqual(await cur.fetchone(), self.params)
+        except Exception as err:
+            self.fail(err)