postgresql modules: use query parameters with cursor objects (#65862)

* postgresql modules: use query parameters with cursor objects

* add changelog fragment

* fix typo in changelog fragment

changelogs/fragments/65862-postgresql_modules_use_query_params_with_cursor.yml

@@ -0,0 +1,4 @@
+bugfixes:
+- postgresql_table - use query parameters with cursor object (https://github.com/ansible/ansible/pull/65862).
+- postgresql_tablespace - use query parameters with cursor object (https://github.com/ansible/ansible/pull/65862).
+- postgresql_user - use query parameters with cursor object (https://github.com/ansible/ansible/pull/65862).

lib/ansible/modules/database/postgresql/postgresql_table.py

@@ -288,9 +288,10 @@ class Table(object):
                  "FROM pg_tables AS t "
                  "INNER JOIN pg_class AS c ON  c.relname = t.tablename "
                  "INNER JOIN pg_namespace AS n ON c.relnamespace = n.oid "
-                 "WHERE t.tablename = '%s' "
-                 "AND n.nspname = '%s'" % (tblname, schema))
-        res = exec_sql(self, query, add_to_executed=False)
+                 "WHERE t.tablename = %(tblname)s "
+                 "AND n.nspname = %(schema)s")
+        res = exec_sql(self, query, query_params={'tblname': tblname, 'schema': schema},
+                       add_to_executed=False)
         if res:
             self.exists = True
             self.info = dict(

lib/ansible/modules/database/postgresql/postgresql_tablespace.py

@@ -248,16 +248,15 @@ class PgTablespace(object):
             query = ("SELECT r.rolname, (SELECT Null), %s "
                      "FROM pg_catalog.pg_tablespace AS t "
                      "JOIN pg_catalog.pg_roles AS r "
-                     "ON t.spcowner = r.oid "
-                     "WHERE t.spcname = '%s'" % (location, self.name))
+                     "ON t.spcowner = r.oid " % location)
         else:
             query = ("SELECT r.rolname, t.spcoptions, %s "
                      "FROM pg_catalog.pg_tablespace AS t "
                      "JOIN pg_catalog.pg_roles AS r "
-                     "ON t.spcowner = r.oid "
-                     "WHERE t.spcname = '%s'" % (location, self.name))
+                     "ON t.spcowner = r.oid " % location)
 
-        res = exec_sql(self, query, add_to_executed=False)
+        res = exec_sql(self, query + "WHERE t.spcname = %(name)s",
+                       query_params={'name': self.name}, add_to_executed=False)
 
         if not res:
             self.exists = False

lib/ansible/modules/database/postgresql/postgresql_user.py

@@ -541,8 +541,8 @@ def get_table_privileges(cursor, user, table):
     else:
         schema = 'public'
     query = ("SELECT privilege_type FROM information_schema.role_table_grants "
-             "WHERE grantee='%s' AND table_name='%s' AND table_schema='%s'" % (user, table, schema))
-    cursor.execute(query)
+             "WHERE grantee=%(user)s AND table_name=%(table)s AND table_schema=%(schema)s")
+    cursor.execute(query, {'user': user, 'table': table, 'schema': schema})
     return frozenset([x[0] for x in cursor.fetchall()])