Allow template in query in sql

[gjohansson-ST]

Proposed change

Allow using templates in sql query in SQL integration.

Possible use cases

• Most proposals are around dynamically setting a datetime in the query
• Some seems to use it for external db's to collect information and present it in sensors
• Get history for some sensor based on another sensors value (quite generic but that's what people are asking for)
  Some is mentioned here https://community.home-assistant.io/t/add-support-for-query-template-to-sql-integration/188760

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New integration (thank you!)
• New feature (which adds functionality to an existing integration)
• Deprecation (breaking change to happen in the future)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• This PR fixes or closes issue: fixes #
• This PR is related to issue:
• Link to documentation pull request: Use template for query in SQL home-assistant.io#40345
• Link to developer documentation pull request:
• Link to frontend pull request:

Checklist

• The code change is tested and works locally.
• Local tests pass. Your PR cannot be merged unless tests pass
• There is no commented out code in this PR.
• I have followed the development checklist
• I have followed the perfect PR recommendations
• The code has been formatted using Ruff (ruff format homeassistant tests)
• Tests have been added to verify that the new code works.

If user exposed functionality or configuration variables are added/changed:

• Documentation added/updated for www.home-assistant.io

If the code communicates with devices, web services, or third-party tools:

• The manifest file has all fields filled out correctly.
  Updated and included derived files by running: python3 -m script.hassfest.
• New or updated dependencies have been added to requirements_all.txt.
  Updated by running python3 -m script.gen_requirements_all.
• For the updated dependencies - a link to the changelog, or at minimum a diff between library versions is added to the PR description.

To help with the load of incoming pull requests:

• I have reviewed two other open pull requests in this repository.

[home-assistant]

Hey there @dougiteixeira, mind taking a look at this pull request as it has been labeled with an integration (sql) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of sql can trigger bot actions by commenting:

• @home-assistant close Closes the pull request.
• @home-assistant rename Awesome new title Renames the pull request.
• @home-assistant reopen Reopen the pull request.
• @home-assistant unassign sql Removes the current integration label and assignees on the pull request, add the integration domain after the command.
• @home-assistant add-label needs-more-information Add a label (needs-more-information, problem in dependency, problem in custom component) to the pull request.
• @home-assistant remove-label needs-more-information Remove a label (needs-more-information, problem in dependency, problem in custom component) on the pull request.

[Copilot]

Pull Request Overview

This PR introduces template support for SQL queries in the SQL integration, allowing dynamic query generation based on Home Assistant state and templates. The implementation adds query validation at both configuration time and runtime to ensure template rendering produces valid SQL.

Key changes:

• Modified SQL query parameter from string to ValueTemplate to support Jinja2 templating
• Added runtime query validation and rendering with proper error handling
• Updated configuration flow to use template selector and validate templated queries

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
homeassistant/components/sql/util.py	Added check_and_render_sql_query function for template validation and SQL parsing
homeassistant/components/sql/sensor.py	Modified SQLSensor to handle ValueTemplate queries with runtime rendering
homeassistant/components/sql/config_flow.py	Updated config flow to use template selector and new validation function
homeassistant/components/sql/init.py	Updated YAML schema validation to handle Template objects
tests/components/sql/test_sensor.py	Added comprehensive tests for template queries including error scenarios
tests/components/sql/test_config_flow.py	Added tests for template query validation in config flow
tests/components/sql/test_init.py	Updated validation tests to work with Template objects
tests/components/sql/init.py	Added test configuration constants for template scenarios

[luuuis]

Could this facilitate SQL injection attacks if we were to allow interpolating the state of arbitrary sensors into SQL statements (that might have been pulled off the internet, etc)?

What are the use cases and would adding bind parameter support not suffice for those?

[joostlek]

There are merge conflicts

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[gjohansson-ST]

Could this facilitate SQL injection attacks if we were to allow interpolating the state of arbitrary sensors into SQL statements (that might have been pulled off the internet, etc)?

We parse and validate the syntax after rendering so if the statement does something else than a regular select, it won't allow it.

That also ensures this even someone tries to use templating to bypass.

But the validation was already in place and has not changed.

[emontnemery]

Please set the PR back to "Ready for review" when the merge conflicts are fixed

[emontnemery]

Please update the PR description with a motivation for the new feature, with an example.
Also, the documentation PR should have an example.

[gjohansson-ST]

Update the PR description with some related motivation why this should be done.

I'll update the doc PR shortly with an expanded example.

[emontnemery]

LGTM, thanks @gjohansson-ST

Stale

[arturpragacz]

This is a schema for a service. It should not contain templates, as template support for services is handled automatically by Core prior to this validation.