sqlite3: issue a warning if a sequence of params are used with named placeholders in queries

[erlend-aasland]

(See Discourse topic.)

Per now, it is possible to supply a sequence of params to queries with named placeholders:

>>> cx.execute("select :name", [42]).fetchall()
[(42,)]
>>> cx.execute("select :other", [42]).fetchall()
[(42,)]

This may result in unexpected results if a user misuse the sqlite3 module and use PEP-249 style numeric placeholders:

>>> cx.execute("select :1", ("first",)).fetchall()
[('first',)]
>>> cx.execute("select :1, :2", ("first", "second")).fetchall()
[('first', 'second')]
>>> cx.execute("select :2, :1", ("first", "second")).fetchall()  # Unexpected result follows
[('first', 'second')]

PEP-249 style numeric placeholders are not supported by sqlite3; it only supports PEP-249 style named placeholders and PEP-249 style qmark placeholders, so the placeholders in the above example are interpreted as named, not numeric, placeholders.

Based on the discussion in the above linked Discourse topic, I propose to now issue a deprecation warning if sequences are used with named placeholders. The deprecation warning should inform that from Python 3.14 and onward, sqlite3.ProgrammingError will be raised instead.

Linked PRs

• gh-101693: In sqlite3, deprecate using named placeholders with parameters supplied as a sequence #101698