Re: Safe SELECT ... LIKE abc% in psycopg

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Adrian Klaver <[email protected]>
To: Philippe Strauss <[email protected]>
To: [email protected]
Subject: Re: Safe SELECT ... LIKE abc% in psycopg
Date: Mon, 22 Apr 2024 09:50:31 -0700
Message-ID: <[email protected]> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>

On 4/22/24 09:34, Philippe Strauss wrote:
> Hello, I'm Philippe from switzerland,
> 
> I'm writing using python a small JSON API for a mycology photos archive 
> webapp. Aside the main API endpoint are two
> helpers for an autocomplete form.
> Here is the first one:
> 
> --8<--
> @app.route('/genus/<genus>')
> def genus(genus):
>      with dbconn.cursor() as cur:
>          cur.execute("""SELECT myco.genus.name
>              FROM myco.genus
>              WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
>          lsgenus = cur.fetchall()
>          ls = []
>          for genus in lsgenus:
>              ls.append(genus[0])
>      return jsonify(ls)
> --8<--
> 
> My questions:
> - What is the best way to use in psycopg3 to express a SELECT ... WHERE 
> ... LIKE blah% ?
> - Is my code above safe or vulnerable to a injection attack?
> - What peoples having passed on the same pattern have to recommend?

Read:

https://www.psycopg.org/psycopg3/docs/basic/params.html

It will answer the above.

For this case from link:

"When parameters are used, in order to include a literal % in the query 
you can use the %% string:"

> 
> Thanks!
> 

-- 
Adrian Klaver
[email protected]

view thread (4+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Safe SELECT ... LIKE abc% in psycopg
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox