Description: Escape non expressions for unary operators
 This patch fixes the vulnerability for SQL injection attacks
 from
 https://discuss.tryton.org/t/security-release-for-issue-93
Author: Cédric Krier <cedric.krier@b2ck.com>
Bug: https://bugs.tryton.org/python-sql/93

--- a/sql/operators.py
+++ b/sql/operators.py
@@ -121,7 +121,8 @@
         return self
 
     def __str__(self):
-        return '(' + (' %s ' % self._operator).join(map(str, self)) + ')'
+        return '(' + (' %s ' % self._operator).join(
+            map(self._format, self)) + ')'
 
 
 class And(NaryOperator):
--- a/sql/tests/test_operators.py
+++ b/sql/tests/test_operators.py
@@ -25,6 +25,10 @@
         self.assertEqual(str(and_), '(%s AND "c2")')
         self.assertEqual(and_.params, (True,))
 
+        and_ = And((Literal(True), 'foo'))
+        self.assertEqual(str(and_), '(%s AND %s)')
+        self.assertEqual(and_.params, (True, 'foo'))
+
     def test_operator_operators(self):
         and_ = And((Literal(True), self.table.c1))
         and2 = and_ & And((Literal(True), self.table.c2))