From f1308f75d94d181b0877d2e500e647f23c7c44b3 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Fri, 20 May 2022 13:30:09 -0400
Subject: [PATCH] Prohibit `;` in identifiers (but allow `?` in again)

We no longer bind parameters so `?` should be safe.
---
 src/_zkapauthorizer/tests/strategies.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/_zkapauthorizer/tests/strategies.py b/src/_zkapauthorizer/tests/strategies.py
index 4acb01ae..4f7cab68 100644
--- a/src/_zkapauthorizer/tests/strategies.py
+++ b/src/_zkapauthorizer/tests/strategies.py
@@ -1208,9 +1208,9 @@ def sql_identifiers() -> SearchStrategy[str]:
             # Maybe ] should be allowed but I don't know how to quote it.  '
             # certainly should be but Python sqlite3 module has lots of
             # problems with it.
-            # ? is disallowed due to how we substitute variables into
-            # SQL statements for the event-log
-            blacklist_characters=("\x00", "]", "'", "?"),
+            # ; is disallowed because sqlparse can't parse statements using it
+            # in an identifier.
+            blacklist_characters=("\x00", "]", "'", ";"),
         ),
     )