SQL injection inside python f-strings

[ReubenM]

I'm wanting to use an SQL injection in python, but can't wrap my head around how to deal with f-string interpolation.

I've seen lots of examples that scan for a long list of SQL keywords, but that does not seem efficient, so I have the injection hook onto the /*SQL*/ comment tag at the beginning of the string. This is minimal, and also makes it an optional feature.

Currently using:

;extends
(string
  (string_content) @injection.content
    (#match? #injection.content "^\\/\\*SQL\\*\\/")
    (#set! injection.language "sql"))

Works great for normal strings, but breaks in f-strings at first interpolation variable. How do I set it so that the f-string interpolation variables act as wildcards for SQL parsing, in a way that it sees the entire query as a single sql query (not multiple queries separated by interpolation variables) without also joining together separate f-strings into a single query.

So the following:

foo = f'''/*SQL*/
  SELECT {x} FROM {y} WHERE {z} < 5
'''

bar = f'''/*SQL*/
  SELECT {x} FROM {y} WHERE {z} > 5
'''

I want to be able to have the syntax highlighting work across the complete f-string, so that treesitter sees this a 2 separate SQL queries, foo and bar.

Does treesitter even support handling this type of templating interrupting an injection?

[bryankenote]

Is this similar to #3213?

[ReubenM]

Looks similar. If so, it might depend on neovim/neovim#17099 to be able to properly handle it.

[ReubenM]

I think this is fixed in neovim/neovim#24738

[ObserverOfTime]

You should not be interpolating SQL queries in the first place.

[ReubenM]

I'm well aware of sanitizing inputs by parameterizing queries . However, when building SQL queries, utilization of query parameters is limited to literals and identifiers. Anything else requires interpolation or concatenation of strings.