Skip to content

postgresql: harden two-phase xid SQL literal quoting#13225

Closed
c4tzzz wants to merge 1 commit intosqlalchemy:mainfrom
c4tzzz:hardening/pg-xid-quote
Closed

postgresql: harden two-phase xid SQL literal quoting#13225
c4tzzz wants to merge 1 commit intosqlalchemy:mainfrom
c4tzzz:hardening/pg-xid-quote

Conversation

@c4tzzz
Copy link
Copy Markdown

@c4tzzz c4tzzz commented Apr 8, 2026

Description

This PR introduces a defensive hardening change for PostgreSQL two-phase transaction SQL string construction.

It replaces direct %s interpolation of xid in:

  • PREPARE TRANSACTION
  • COMMIT PREPARED
  • ROLLBACK PREPARED

with SQL-quoted literals using existing internal helpers.

Updated locations:

  • PostgreSQL base dialect twophase methods
  • PostgreSQL psycopg twophase command composition
  • PostgreSQL provision cleanup path (ROLLBACK PREPARED)

Tests added:

  • verifies single-quote escaping in twophase xid literal rendering
  • verifies generated SQL command strings for base dialect and psycopg dialect paths

This is intended as a hardening/defensive coding improvement; no behavior change is expected for normal valid xid
values.

Checklist

This pull request is:

  • A short code fix
    • Related to defensive hardening requested by maintainer feedback
    • Includes tests for command construction and quoting behavior
  • A documentation / typographical / small typing error fix
  • A new feature implementation

@CaselIT
Copy link
Copy Markdown
Member

CaselIT commented Apr 9, 2026
edited
Loading

Hi,

We require an issue for these kind of PRs, that also shows the issue.
Furthermore I don't think it makes much sense to only fix this for postgresql, since similar issues may also be present in other dialects

@c4tzzz
Copy link
Copy Markdown
Author

c4tzzz commented Apr 9, 2026

If this isn't relevant, I'll close the request. Have a good day.

@c4tzzz c4tzzz closed this Apr 9, 2026
@CaselIT
Copy link
Copy Markdown
Member

CaselIT commented Apr 9, 2026

it's not that it's not relevant, it's that we have a process that should be followed for contributions that aren't just simple typo/docs/etc fixes. This doesn't classify as a short code fix.

In any case I'll open an issue as reminder so that a better analysis could be done.

@CaselIT CaselIT mentioned this pull request Apr 9, 2026
Closed
@CaselIT CaselIT added bug Something isn't working postgresql dialects general dialect tag. useful for unsupported dbs or deprecations. not needed for specific dbs. and removed bug Something isn't working postgresql dialects general dialect tag. useful for unsupported dbs or deprecations. not needed for specific dbs. labels Apr 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@c4tzzz @CaselIT