Received: from malur.postgresql.org ([217.196.149.56])
	by arkaria.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <psycopg-owner+archive@lists.postgresql.org>)
	id 1rywcz-001C79-Bu
	for psycopg@arkaria.postgresql.org; Mon, 22 Apr 2024 16:34:50 +0000
Received: from localhost ([127.0.0.1] helo=malur.postgresql.org)
	by malur.postgresql.org with esmtp (Exim 4.94.2)
	(envelope-from <psycopg-owner+archive@lists.postgresql.org>)
	id 1rywcx-008dLO-Vo
	for psycopg@arkaria.postgresql.org; Mon, 22 Apr 2024 16:34:47 +0000
Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29])
	by malur.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <philippe@straussaudio.ch>)
	id 1rywcw-008dIS-Uy
	for psycopg@lists.postgresql.org; Mon, 22 Apr 2024 16:34:47 +0000
Received: from strauss.vserver.nimag.net ([62.220.136.28])
	by magus.postgresql.org with esmtps  (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.94.2)
	(envelope-from <philippe@straussaudio.ch>)
	id 1rywcu-002Mx3-1J
	for psycopg@lists.postgresql.org; Mon, 22 Apr 2024 16:34:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=straussaudio.ch;
	s=dkim; t=1713803681;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=czvywmNrCB0/nYtLgooIvT8aGyIf/snOlPHkPjsPFh8=;
	b=adEWsXk4W8YqQxZ5RpU7pIIya3LzqcHxC9x0XksbAvhVFAIm6SG3JrXW8O9NkzNZc+Uzv0
	lngO5D/TEqDBlTl7qrf8pRbj0rFaoJAB7etqKDmrKcoCyPi40PvF5GW4QYyr2/g+kSLcjU
	RTTbUCB9hiDOV0W/IsellRlllObro7Y=
Received: from [192.168.158.135]
 (214.60.4.146.static.wline.lns.sme.cust.swisscom.ch [146.4.60.214])
	by strauss.vserver.nimag.net (OpenSMTPD) with ESMTPSA id f16f7f00
 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO)
	for <psycopg@lists.postgresql.org>;
	Mon, 22 Apr 2024 16:34:41 +0000 (UTC)
Message-ID: <6b4e2581-8b08-4f0c-b159-cd078fd988a9@straussaudio.ch>
Date: Mon, 22 Apr 2024 18:34:40 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: psycopg@lists.postgresql.org
From: Philippe Strauss <philippe@straussaudio.ch>
Subject: Safe SELECT ... LIKE abc% in psycopg
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
List-Id: <psycopg.lists.postgresql.org>
List-Help: <https://lists.postgresql.org/manage/>
List-Subscribe: <https://lists.postgresql.org/manage/>
List-Post: <mailto:psycopg@lists.postgresql.org>
List-Owner: <mailto:psycopg-owner@lists.postgresql.org>
List-Archive: <https://www.postgresql.org/list/psycopg>
Archived-At: 
 <https://www.postgresql.org/message-id/6b4e2581-8b08-4f0c-b159-cd078fd988a9%40straussaudio.ch>
Precedence: bulk

Hello, I'm Philippe from switzerland,

I'm writing using python a small JSON API for a mycology photos archive 
webapp. Aside the main API endpoint are two
helpers for an autocomplete form.
Here is the first one:

--8<--
@app.route('/genus/<genus>')
def genus(genus):
     with dbconn.cursor() as cur:
         cur.execute("""SELECT myco.genus.name
             FROM myco.genus
             WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
         lsgenus = cur.fetchall()
         ls = []
         for genus in lsgenus:
             ls.append(genus[0])
     return jsonify(ls)
--8<--

My questions:
- What is the best way to use in psycopg3 to express a SELECT ... WHERE 
... LIKE blah% ?
- Is my code above safe or vulnerable to a injection attack?
- What peoples having passed on the same pattern have to recommend?

Thanks!

-- 
Philippe Strauss
https://straussengineering.ch/