address PR feedback: add comment explaining limitation and test for LIKE + parameters

james-willis · james-willis · commit bf944d8ed79e · 2026-03-16T12:43:34.000-07:00
diff --git a/tests/test_cursor.py b/tests/test_cursor.py
@@ -85,3 +85,13 @@ def test_plain_query_without_parameters(self):
         sql = "SELECT * FROM table"
         cursor.execute(sql)
         assert captured["sql"] == sql
+
+    def test_like_with_parameters(self):
+        """A LIKE expression combined with named parameters should work.
+        Literal percent signs must be escaped as %% when parameters are used."""
+        cursor, captured = _make_cursor()
+        sql = "SELECT * FROM table WHERE name LIKE '%%good%%' AND id = %(id)s"
+        cursor.execute(sql, parameters={"id": 42})
+        assert captured["sql"] == (
+            "SELECT * FROM table WHERE name LIKE '%good%' AND id = 42"
+        )
diff --git a/wherobots/db/cursor.py b/wherobots/db/cursor.py
@@ -98,6 +98,10 @@ def execute(
         self.__rowcount = -1
         self.__description = None
 
+        # Only apply %-formatting when parameters are provided; skipping avoids
+        # misinterpreting literal % in SQL (e.g. LIKE '%good') as format specifiers.
+        # Note: queries that combine literal % with named parameters must escape
+        # the literal percent signs as %% per Python's %-formatting rules.
         sql = operation % parameters if parameters else operation
         self.__current_execution_id = self.__exec_fn(
             sql, self.__on_execution_result, store
