Fix Copilot review: escape strings, update README

nkanu17 · nkanu17 · commit 50d84ebbeea1 · 2026-03-16T12:38:55.000-04:00
- Escape backslashes and quotes in DATE_FORMAT format strings
- Escape backslashes and quotes in FILTER expression values
- Update README: OR with date functions raises ValueError
diff --git a/README.md b/README.md
@@ -234,7 +234,7 @@ SELECT name, DATE_FORMAT(created_at, '%Y-%m-%d') AS date FROM events
 
 - `NOT YEAR(field) = 2024` is not supported (raises `ValueError`)
 - `DATE_FORMAT()` is only supported in SELECT, not in WHERE (raises `ValueError`)
-- Date functions with `OR` require careful handling
+- Date functions combined with `OR` are not supported (raises `ValueError`)
 
 ### GEO Field Support
 
diff --git a/sql_redis/translator.py b/sql_redis/translator.py
@@ -390,9 +390,11 @@ def _build_aggregate(
             if redis_func:
                 if date_func.function == "DATE_FORMAT" and date_func.format_string:
                     # DATE_FORMAT(field, format) -> timefmt(@field, format)
-                    expression = (
-                        f'{redis_func}(@{date_func.field}, "{date_func.format_string}")'
+                    # Escape backslashes and quotes in format string
+                    escaped_fmt = date_func.format_string.replace("\\", "\\\\").replace(
+                        '"', '\\"'
                     )
+                    expression = f'{redis_func}(@{date_func.field}, "{escaped_fmt}")'
                 else:
                     # Simple date extraction: YEAR(field) -> year(@field)
                     expression = f"{redis_func}(@{date_func.field})"
@@ -640,5 +642,7 @@ def _normalize_filter_value(self, value: object) -> str:
         """
         if isinstance(value, (int, float)):
             return str(value)
-        # Quote string values for FILTER
-        return f'"{value}"'
+        # Quote string values for FILTER, escaping backslashes and double quotes
+        str_value = str(value)
+        escaped_value = str_value.replace("\\", "\\\\").replace('"', '\\"')
+        return f'"{escaped_value}"'
diff --git a/tests/test_redis_queries.py b/tests/test_redis_queries.py
@@ -278,9 +278,9 @@ def test_between_and_greater_than(
             row_dict = dict(zip(row[::2], row[1::2]))
             if "price" in row_dict:
                 price = float(row_dict["price"])
-                assert (
-                    100 <= price <= 500
-                ), f"Price {price} should be between 100 and 500"
+                assert 100 <= price <= 500, (
+                    f"Price {price} should be between 100 and 500"
+                )
 
 
 class TestTagFieldMultiValueSearch:
diff --git a/tests/test_sql_queries.py b/tests/test_sql_queries.py
@@ -248,9 +248,9 @@ def test_in_clause_with_or(self, executor: Executor, products_data: str):
             WHERE tags IN ('sale', 'featured') OR category = 'electronics'
             """
         )
-        assert (
-            len(result.rows) >= 1
-        ), "Should return products matching tag OR conditions"
+        assert len(result.rows) >= 1, (
+            "Should return products matching tag OR conditions"
+        )
 
     def test_tag_in_clause_only(self, executor: Executor, products_data: str):
         """IN clause on TAG field without OR."""
