public inbox for [email protected]
help / color / mirror / Atom feedSafe SELECT ... LIKE abc% in psycopg
4+ messages / 3 participants
[nested] [flat]
* Safe SELECT ... LIKE abc% in psycopg
@ 2024-04-22 16:34 Philippe Strauss <[email protected]>
2024-04-22 16:50 ` Re: Safe SELECT ... LIKE abc% in psycopg Adrian Klaver <[email protected]>
2024-04-22 16:59 ` Re: Safe SELECT ... LIKE abc% in psycopg Daniele Varrazzo <[email protected]>
0 siblings, 2 replies; 4+ messages in thread
From: Philippe Strauss @ 2024-04-22 16:34 UTC (permalink / raw)
To: [email protected]
Hello, I'm Philippe from switzerland,
I'm writing using python a small JSON API for a mycology photos archive
webapp. Aside the main API endpoint are two
helpers for an autocomplete form.
Here is the first one:
--8<--
@app.route('/genus/<genus>')
def genus(genus):
with dbconn.cursor() as cur:
cur.execute("""SELECT myco.genus.name
FROM myco.genus
WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
lsgenus = cur.fetchall()
ls = []
for genus in lsgenus:
ls.append(genus[0])
return jsonify(ls)
--8<--
My questions:
- What is the best way to use in psycopg3 to express a SELECT ... WHERE
... LIKE blah% ?
- Is my code above safe or vulnerable to a injection attack?
- What peoples having passed on the same pattern have to recommend?
Thanks!
--
Philippe Strauss
https://straussengineering.ch/
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Safe SELECT ... LIKE abc% in psycopg
2024-04-22 16:34 Safe SELECT ... LIKE abc% in psycopg Philippe Strauss <[email protected]>
@ 2024-04-22 16:50 ` Adrian Klaver <[email protected]>
2024-04-22 16:57 ` Re: Safe SELECT ... LIKE abc% in psycopg Adrian Klaver <[email protected]>
1 sibling, 1 reply; 4+ messages in thread
From: Adrian Klaver @ 2024-04-22 16:50 UTC (permalink / raw)
To: Philippe Strauss <[email protected]>; [email protected]
On 4/22/24 09:34, Philippe Strauss wrote:
> Hello, I'm Philippe from switzerland,
>
> I'm writing using python a small JSON API for a mycology photos archive
> webapp. Aside the main API endpoint are two
> helpers for an autocomplete form.
> Here is the first one:
>
> --8<--
> @app.route('/genus/<genus>')
> def genus(genus):
> with dbconn.cursor() as cur:
> cur.execute("""SELECT myco.genus.name
> FROM myco.genus
> WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
> lsgenus = cur.fetchall()
> ls = []
> for genus in lsgenus:
> ls.append(genus[0])
> return jsonify(ls)
> --8<--
>
> My questions:
> - What is the best way to use in psycopg3 to express a SELECT ... WHERE
> ... LIKE blah% ?
> - Is my code above safe or vulnerable to a injection attack?
> - What peoples having passed on the same pattern have to recommend?
Read:
https://www.psycopg.org/psycopg3/docs/basic/params.html
It will answer the above.
For this case from link:
"When parameters are used, in order to include a literal % in the query
you can use the %% string:"
>
> Thanks!
>
--
Adrian Klaver
[email protected]
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Safe SELECT ... LIKE abc% in psycopg
2024-04-22 16:34 Safe SELECT ... LIKE abc% in psycopg Philippe Strauss <[email protected]>
2024-04-22 16:50 ` Re: Safe SELECT ... LIKE abc% in psycopg Adrian Klaver <[email protected]>
@ 2024-04-22 16:57 ` Adrian Klaver <[email protected]>
0 siblings, 0 replies; 4+ messages in thread
From: Adrian Klaver @ 2024-04-22 16:57 UTC (permalink / raw)
To: Philippe Strauss <[email protected]>; [email protected]
On 4/22/24 09:50, Adrian Klaver wrote:
> On 4/22/24 09:34, Philippe Strauss wrote:
>> Hello, I'm Philippe from switzerland,
>>
>> I'm writing using python a small JSON API for a mycology photos
>> archive webapp. Aside the main API endpoint are two
>> helpers for an autocomplete form.
>> Here is the first one:
>>
>> --8<--
>> @app.route('/genus/<genus>')
>> def genus(genus):
>> with dbconn.cursor() as cur:
>> cur.execute("""SELECT myco.genus.name
>> FROM myco.genus
>> WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
>> lsgenus = cur.fetchall()
>> ls = []
>> for genus in lsgenus:
>> ls.append(genus[0])
>> return jsonify(ls)
>> --8<--
>>
>> My questions:
>> - What is the best way to use in psycopg3 to express a SELECT ...
>> WHERE ... LIKE blah% ?
>> - Is my code above safe or vulnerable to a injection attack?
>> - What peoples having passed on the same pattern have to recommend?
>
> Read:
>
> https://www.psycopg.org/psycopg3/docs/basic/params.html
>
> It will answer the above.
>
> For this case from link:
>
> "When parameters are used, in order to include a literal % in the query
> you can use the %% string:"
Actually ignore the above, that only applies if you are using % in the
query itself not in the supplied arguments.
>
>>
>> Thanks!
>>
>
--
Adrian Klaver
[email protected]
^ permalink raw reply [nested|flat] 4+ messages in thread
* Re: Safe SELECT ... LIKE abc% in psycopg
2024-04-22 16:34 Safe SELECT ... LIKE abc% in psycopg Philippe Strauss <[email protected]>
@ 2024-04-22 16:59 ` Daniele Varrazzo <[email protected]>
1 sibling, 0 replies; 4+ messages in thread
From: Daniele Varrazzo @ 2024-04-22 16:59 UTC (permalink / raw)
To: Philippe Strauss <[email protected]>; +Cc: [email protected]
Hello Philippe,
Your code seems safe to me. Because the `%` is in the value, not in the
query, I don't think you need to escape it.
If any, I would suggest you to avoid using LIKE and to use the Postgres
regular expression operators (
https://www.postgresql.org/docs/current/functions-matching.html#FUNCTIONS-POSIX-REGEXP),
which integrate better with Python regular expression. Using them, your
code (which I assume be looking for a prefix) might end up looking like:
import re
...
WHERE myco.genus.name ~ %s""", ('^' + re.escape(genus.upper()),))
or using the `~*` operator if you want a non-case-sensitive match.
Note that if your table is large you can index the search using trigram
indexes: see <https://www.postgresql.org/docs/current/pgtrgm.html;. But
this is not related to psycopg.
Cheers
-- Daniele
On Mon, 22 Apr 2024 at 18:34, Philippe Strauss <[email protected]>
wrote:
> Hello, I'm Philippe from switzerland,
>
> I'm writing using python a small JSON API for a mycology photos archive
> webapp. Aside the main API endpoint are two
> helpers for an autocomplete form.
> Here is the first one:
>
> --8<--
> @app.route('/genus/<genus>')
> def genus(genus):
> with dbconn.cursor() as cur:
> cur.execute("""SELECT myco.genus.name
> FROM myco.genus
> WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
> lsgenus = cur.fetchall()
> ls = []
> for genus in lsgenus:
> ls.append(genus[0])
> return jsonify(ls)
> --8<--
>
> My questions:
> - What is the best way to use in psycopg3 to express a SELECT ... WHERE
> ... LIKE blah% ?
> - Is my code above safe or vulnerable to a injection attack?
> - What peoples having passed on the same pattern have to recommend?
>
> Thanks!
>
> --
> Philippe Strauss
> https://straussengineering.ch/
>
>
>
>
^ permalink raw reply [nested|flat] 4+ messages in thread
end of thread, other threads:[~2024-04-22 16:59 UTC | newest]
Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-04-22 16:34 Safe SELECT ... LIKE abc% in psycopg Philippe Strauss <[email protected]>
2024-04-22 16:50 ` Adrian Klaver <[email protected]>
2024-04-22 16:57 ` Adrian Klaver <[email protected]>
2024-04-22 16:59 ` Daniele Varrazzo <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox