Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rywsL-001DAD-Hg for psycopg@arkaria.postgresql.org; Mon, 22 Apr 2024 16:50:41 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rywsK-0093fn-63 for psycopg@arkaria.postgresql.org; Mon, 22 Apr 2024 16:50:40 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rywsJ-0093fZ-VE for psycopg@lists.postgresql.org; Mon, 22 Apr 2024 16:50:39 +0000 Received: from wfhigh8-smtp.messagingengine.com ([64.147.123.159]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rywsG-002N2d-UZ for psycopg@lists.postgresql.org; Mon, 22 Apr 2024 16:50:39 +0000 Received: from compute2.internal (compute2.nyi.internal [10.202.2.46]) by mailfhigh.west.internal (Postfix) with ESMTP id EC89418000A9; Mon, 22 Apr 2024 12:50:33 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute2.internal (MEProxy); Mon, 22 Apr 2024 12:50:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1713804633; x=1713891033; bh=UsKPlKrXAvcJok9U9N22An9LypjCXuVxYLV/BUztb3E=; b= Mmxs82tEYkjSCILi/ysVtGI6Tg33rs4B8Y6ot23OeHtJ4kuC8HzSgtbZ2GaaRXSg 1cbv1/7H7wKVzyYmGzCtDXtl1ASim3BkpRmcu2CxgKolJggcCgTg/ekM3AZz8H8K HNZxoE5lFD/7n9HY832XKS0e75iuACCtZPfEnpdkhOYqGLX9buYqxtYCIi93Y9TS ADH9gj6sb5++0QTjhS54AsZW9aF4e1ui9Fj5+GzOqRYcEVeZJ7DQtxlF2S8QXo8O /EPgVB/dGwWCGDgnDqAidtkCl9xys8FGolKcu6tVkwziIs6nYzpi6pA1YWxJW4Oq pKopkUITsUQI3qvUJ3Ndtw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1713804633; x= 1713891033; bh=UsKPlKrXAvcJok9U9N22An9LypjCXuVxYLV/BUztb3E=; b=C zab1UQTz5MiT3TiN4F2ZFkyk4v49+3Ne3O7ZfqDurFZrOC7vfqAhUwoPI5CN+0Cn XQ8R8c9fjBKXpziieRo7Qh4y1UnNHOYPQcR14mU9/JxqW7dUvfgJ/ntG+mJTtmgb IWehrXCoGBEqqyYEIPTa3RIVBJ6uV8TNJSNLO7AXPd4MmlvvpH3RoH9K66X4JmXQ xehPkSv85z7YAi7ujmFA9oeVJiuhJ3/9jmmxfjKt6pDf7lIg41cnl1uZzO7x1Fg5 NSuGDHVTr44Y0jx2WMUF3wuMikMLoJtxCKWlOZKJXCDqqBf01peDRZYmlM986gLC ZliWzD4PwkpgkIhWvX5ug== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudekledguddtiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfuvfhfhfgjtgfgsehtkeertddtvdejnecuhfhrohhmpeetughr ihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtg homheqnecuggftrfgrthhtvghrnhephefgueffueejhfeludefueejieetueegtefhleeh heelleeghfeugeefuefftefhnecuffhomhgrihhnpehgvghnuhhsrdhnrghmvgdpphhshi gtohhpghdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhm X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 22 Apr 2024 12:50:32 -0400 (EDT) Message-ID: <387a4f5e-5886-443d-bc4e-e649706173a4@aklaver.com> Date: Mon, 22 Apr 2024 09:50:31 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Safe SELECT ... LIKE abc% in psycopg To: Philippe Strauss , psycopg@lists.postgresql.org References: <6b4e2581-8b08-4f0c-b159-cd078fd988a9@straussaudio.ch> Content-Language: en-US From: Adrian Klaver In-Reply-To: <6b4e2581-8b08-4f0c-b159-cd078fd988a9@straussaudio.ch> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 4/22/24 09:34, Philippe Strauss wrote: > Hello, I'm Philippe from switzerland, > > I'm writing using python a small JSON API for a mycology photos archive > webapp. Aside the main API endpoint are two > helpers for an autocomplete form. > Here is the first one: > > --8<-- > @app.route('/genus/') > def genus(genus): >     with dbconn.cursor() as cur: >         cur.execute("""SELECT myco.genus.name >             FROM myco.genus >             WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',)) >         lsgenus = cur.fetchall() >         ls = [] >         for genus in lsgenus: >             ls.append(genus[0]) >     return jsonify(ls) > --8<-- > > My questions: > - What is the best way to use in psycopg3 to express a SELECT ... WHERE > ... LIKE blah% ? > - Is my code above safe or vulnerable to a injection attack? > - What peoples having passed on the same pattern have to recommend? Read: https://www.psycopg.org/psycopg3/docs/basic/params.html It will answer the above. For this case from link: "When parameters are used, in order to include a literal % in the query you can use the %% string:" > > Thanks! > -- Adrian Klaver adrian.klaver@aklaver.com