BUG#37859771 - mysql/connector python version 9.3.0 has a regression

SubCoder1 · SubCoder1 · commit 9b86b2926e55 · 2025-06-03T17:10:10.000+05:30
which cannot persist binary data with percent signs in it

Reverted back the changes made to fix BUG#37447394 which introduced
an unwanted behavior reducing double percentage sign character "%%s"
in query strings passed to MySQLCursor.execute to a single "%s" character.

Change-Id: I8fd834e8f165827672a272f30d410191880a6e8a
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -16,6 +16,7 @@ v9.4.0
 - WL#16962: Update the Python Protobuf version
 - BUG#37868219: RPM packages have incorrect copyright year in their metadata
 - BUG#37820231: Text based django ORM filters doesn't work with Connector/Python
+- BUG#37859771: mysql/connector python version 9.3.0 has a regression which cannot persist binary data with percent signs in it
 - BUG#37806057: Rename extra option (when installing wheel package) to install webauthn functionality dependencies
 - BUG#37642447: The license type is missing from RPM package
 - BUG#37627508: mysql/connector python fetchmany() has an off by one bug when argument given as 1
@@ -32,7 +33,6 @@ v9.3.0
 - WL#16327: Remove Cursors Prepared Raw and Named Tuple
 - BUG#37541353: (Contribution) Fix typing annotation of MySQLConnectionAbstract's close function
 - BUG#37453587: Github links in PyPI project's pages do not work
-- BUG#37447394: Unable to escape a parameter marker (`%s`) used in a query that should not be treated as a parameter marker
 - BUG#37418436: Arbitrary File Read in MySQL Python Client library
 - BUG#37410052: Bad formatting of exceptions when connecting with Unix sockets
 - BUG#37399636: The C-extension has a memory leak when working with prepared statements
diff --git a/mysql-connector-python/lib/mysql/connector/aio/cursor.py b/mysql-connector-python/lib/mysql/connector/aio/cursor.py
@@ -410,8 +410,6 @@ async def _prepare_statement(
                     f"Could not process parameters: {type(params).__name__}({params}),"
                     " it must be of type list, tuple or dict"
                 )
-        # final statement with `%%s` should be replaced as `%s`
-        stmt = stmt.replace(b"%%s", b"%s")
 
         return stmt
 
@@ -1209,8 +1207,6 @@ async def execute(
             except UnicodeEncodeError as err:
                 raise ProgrammingError(str(err)) from err
 
-            # final statement with `%%s` should be replaced as `%s`
-            operation = operation.replace(b"%%s", b"%s")
             if b"%s" in operation:
                 # Convert %s to ? before sending it to MySQL
                 operation = re.sub(RE_SQL_FIND_PARAM, b"?", operation)
diff --git a/mysql-connector-python/lib/mysql/connector/cursor.py b/mysql-connector-python/lib/mysql/connector/cursor.py
@@ -95,7 +95,7 @@
     re.I | re.M | re.S,
 )
 RE_SQL_INSERT_VALUES = re.compile(r".*VALUES\s*(\(.+\)).*", re.I | re.M | re.S)
-RE_PY_PARAM = re.compile(b"((?<!%)%s)")
+RE_PY_PARAM = re.compile(b"(%s)")
 RE_PY_MAPPING_PARAM = re.compile(
     rb"""
     %
@@ -400,8 +400,6 @@ def execute(
                     " it must be of type list, tuple or dict"
                 )
 
-        # final statement with `%%s` should be replaced as `%s`
-        stmt = stmt.replace(b"%%s", b"%s")
         self._stmt_partitions = split_multi_statement(
             sql_code=stmt, map_results=map_results
         )
@@ -1237,8 +1235,6 @@ def execute(
             except UnicodeEncodeError as err:
                 raise ProgrammingError(str(err)) from err
 
-            # final statement with `%%s` should be replaced as `%s`
-            operation = operation.replace(b"%%s", b"%s")
             if b"%s" in operation:
                 # Convert %s to ? before sending it to MySQL
                 operation = re.sub(RE_SQL_FIND_PARAM, b"?", operation)
diff --git a/mysql-connector-python/lib/mysql/connector/cursor_cext.py b/mysql-connector-python/lib/mysql/connector/cursor_cext.py
@@ -336,9 +336,6 @@ def execute(
                         "Not all parameters were used in the SQL statement"
                     )
 
-        # final statement with `%%s` should be replaced as `%s`
-        stmt = stmt.replace(b"%%s", b"%s")
-
         self._stmt_partitions = split_multi_statement(
             sql_code=stmt, map_results=map_results
         )
@@ -1129,8 +1126,6 @@ def execute(
             except UnicodeDecodeError as err:
                 raise ProgrammingError(str(err)) from err
 
-        # final statement with `%%s` should be replaced as `%s`
-        operation = operation.replace("%%s", "%s")
         if isinstance(params, dict):
             replacement_keys = re.findall(RE_SQL_PYTHON_CAPTURE_PARAM_NAME, operation)
             try:
diff --git a/mysql-connector-python/tests/test_bugs.py b/mysql-connector-python/tests/test_bugs.py
@@ -8900,57 +8900,6 @@ def test_connection_timeout(self):
             self.fail(err)
 
 
-class BugOra37447394(tests.MySQLConnectorTests):
-    """BUG#37447394: Unable to escape a parameter marker (`%s`) used in a query that should not be
-    treated as a parameter marker.
-
-    The `%s` parameter marker is not being escaped by using `%%s` in an SQL statement being passed
-    via the cursor's execute() method. This is required while passing a query like:
-    `select date_format(%s, "%Y-%m-%d %H:%i:%%s")`. Currently, the `%s` at the end of the query is
-    is not being escaped and is being treated like a parameter marker instead.
-
-    This patch fixes this issue by adding proper regular expression checks to escape the `%s` by
-    using `%%s`.
-    """
-
-    stmt = 'select date_format(%s, "%Y-%m-%d %H:%i:%%s")'
-    params = ("2017-06-15 12:20:23",)
-
-    @foreach_cnx()
-    def test_bug37447394(self):
-        try:
-            with self.cnx.cursor() as cur:
-                cur.execute(self.stmt, self.params)
-                self.assertEqual(cur.fetchone(), self.params)
-            with self.cnx.cursor(prepared=True) as cur:
-                cur.execute(self.stmt, self.params)
-                self.assertEqual(cur.fetchone(), self.params)
-        except Exception as err:
-            self.fail(err)
-
-
-class BugOra37447394_async(tests.MySQLConnectorAioTestCase):
-    """BUG#37447394: Unable to escape a parameter marker (`%s`) used in a query that should not be
-    treated as a parameter marker.
-
-    For more details check `test_bugs.BugOra37447394`.
-    """
-
-    stmt = 'select date_format(%s, "%Y-%m-%d %H:%i:%%s")'
-    params = ("2017-06-15 12:20:23", )
-
-    @foreach_cnx_aio()
-    async def test_bug37447394_async(self):
-        try:
-            async with await self.cnx.cursor() as cur:
-                await cur.execute(self.stmt, self.params)
-                self.assertEqual(await cur.fetchone(), self.params)
-            async with await self.cnx.cursor(prepared=True) as cur:
-                await cur.execute(self.stmt, self.params)
-                self.assertEqual(await cur.fetchone(), self.params)
-        except Exception as err:
-            self.fail(err)
-
 class BugOra37275524(tests.MySQLConnectorTests):
     """BUG#37275524: Exception is not interpreted properly on prepared statements when C extension is in use
 
diff --git a/mysql-connector-python/tests/test_data_integrity.py b/mysql-connector-python/tests/test_data_integrity.py

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,7 @@`
`95`	`95`	`re.I \| re.M \| re.S,`
`96`	`96`	`)`
`97`	`97`	`RE_SQL_INSERT_VALUES = re.compile(r".VALUES\s(\(.+\)).*", re.I \| re.M \| re.S)`
`98`		`-RE_PY_PARAM = re.compile(b"((?<!%)%s)")`
	`98`	`+RE_PY_PARAM = re.compile(b"(%s)")`
`99`	`99`	`RE_PY_MAPPING_PARAM = re.compile(`
`100`	`100`	`rb"""`
`101`	`101`	`%`
`@@ -400,8 +400,6 @@ def execute(`
`400`	`400`	`" it must be of type list, tuple or dict"`
`401`	`401`	`)`
`402`	`402`
`403`		- # final statement with `%%s` should be replaced as `%s`
`404`		`- stmt = stmt.replace(b"%%s", b"%s")`
`405`	`403`	`self._stmt_partitions = split_multi_statement(`
`406`	`404`	`sql_code=stmt, map_results=map_results`
`407`	`405`	`)`
`@@ -1237,8 +1235,6 @@ def execute(`
`1237`	`1235`	`except UnicodeEncodeError as err:`
`1238`	`1236`	`raise ProgrammingError(str(err)) from err`
`1239`	`1237`
`1240`		- # final statement with `%%s` should be replaced as `%s`
`1241`		`- operation = operation.replace(b"%%s", b"%s")`
`1242`	`1238`	`if b"%s" in operation:`
`1243`	`1239`	`# Convert %s to ? before sending it to MySQL`
`1244`	`1240`	`operation = re.sub(RE_SQL_FIND_PARAM, b"?", operation)`