1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
:mod:`sqlparse` -- Parse SQL statements
=======================================
.. module:: sqlparse
:synopsis: Parse SQL statements.
The :mod:`sqlparse` module provides the following functions on module-level.
.. autofunction:: sqlparse.split
.. autofunction:: sqlparse.format
.. autofunction:: sqlparse.parse
In most cases there's no need to set the `encoding` parameter. If
`encoding` is not set, sqlparse assumes that the given SQL statement
is encoded either in utf-8 or latin-1.
.. _formatting:
Formatting of SQL Statements
----------------------------
The :meth:`~sqlparse.format` function accepts the following keyword arguments.
``keyword_case``
Changes how keywords are formatted. Allowed values are "upper", "lower"
and "capitalize".
``identifier_case``
Changes how identifiers are formatted. Allowed values are "upper", "lower",
and "capitalize".
``strip_comments``
If ``True`` comments are removed from the statements.
``truncate_strings``
If ``truncate_strings`` is a positive integer, string literals longer than
the given value will be truncated.
``truncate_char`` (default: "[...]")
If long string literals are truncated (see above) this value will be append
to the truncated string.
``reindent``
If ``True`` the indentations of the statements are changed.
``reindent_aligned``
If ``True`` the indentations of the statements are changed, and statements are aligned by keywords.
``use_space_around_operators``
If ``True`` spaces are used around all operators.
``indent_tabs``
If ``True`` tabs instead of spaces are used for indentation.
``indent_width``
The width of the indentation, defaults to 2.
``wrap_after``
The column limit (in characters) for wrapping comma-separated lists. If unspecified, it
puts every item in the list on its own line.
``compact``
If ``True`` the formatter tries to produce more compact output.
``output_format``
If given the output is additionally formatted to be used as a variable
in a programming language. Allowed values are "python" and "php".
``comma_first``
If ``True`` comma-first notation for column names is used.
Security and Performance Considerations
---------------------------------------
For developers working with very large SQL statements or in security-sensitive
environments, sqlparse includes built-in protections against potential denial
of service (DoS) attacks:
**Grouping Limits**
The parser includes configurable limits to prevent excessive resource
consumption when processing very large or deeply nested SQL structures:
- ``MAX_GROUPING_DEPTH`` (default: 100) - Limits recursion depth during token grouping
- ``MAX_GROUPING_TOKENS`` (default: 10,000) - Limits the number of tokens processed in a single grouping operation
These limits can be modified by changing the constants in ``sqlparse.engine.grouping``
if your application requires processing larger SQL statements. Set a limit to ``None``
to completely disable it. However, increasing these values or disabling limits may
expose your application to DoS vulnerabilities when processing untrusted SQL input.
Example of modifying limits::
import sqlparse.engine.grouping
# Increase limits (use with caution)
sqlparse.engine.grouping.MAX_GROUPING_DEPTH = 200
sqlparse.engine.grouping.MAX_GROUPING_TOKENS = 50000
# Disable limits completely (use with extreme caution)
sqlparse.engine.grouping.MAX_GROUPING_DEPTH = None
sqlparse.engine.grouping.MAX_GROUPING_TOKENS = None
.. warning::
Increasing the grouping limits or disabling them completely may make your
application vulnerable to DoS attacks when processing untrusted SQL input.
Only modify these values if you are certain about the source and size of
your SQL statements.
|
