Safe SELECT ... LIKE abc% in psycopg

public inbox for [email protected]  
help / color / mirror / Atom feed

Safe SELECT ... LIKE abc% in psycopg
4+ messages / 3 participants
[nested] [flat]

* Safe SELECT ... LIKE abc% in psycopg
@ 2024-04-22 16:34  Philippe Strauss <[email protected]>
  0 siblings, 2 replies; 4+ messages in thread

From: Philippe Strauss @ 2024-04-22 16:34 UTC (permalink / raw)
  To: [email protected]

Hello, I'm Philippe from switzerland,

I'm writing using python a small JSON API for a mycology photos archive 
webapp. Aside the main API endpoint are two
helpers for an autocomplete form.
Here is the first one:

--8<--
@app.route('/genus/<genus>')
def genus(genus):
     with dbconn.cursor() as cur:
         cur.execute("""SELECT myco.genus.name
             FROM myco.genus
             WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
         lsgenus = cur.fetchall()
         ls = []
         for genus in lsgenus:
             ls.append(genus[0])
     return jsonify(ls)
--8<--

My questions:
- What is the best way to use in psycopg3 to express a SELECT ... WHERE 
... LIKE blah% ?
- Is my code above safe or vulnerable to a injection attack?
- What peoples having passed on the same pattern have to recommend?

Thanks!

-- 
Philippe Strauss
https://straussengineering.ch/






^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: Safe SELECT ... LIKE abc% in psycopg
@ 2024-04-22 16:50  Adrian Klaver <[email protected]>
  parent: Philippe Strauss <[email protected]>
  1 sibling, 1 reply; 4+ messages in thread

From: Adrian Klaver @ 2024-04-22 16:50 UTC (permalink / raw)
  To: Philippe Strauss <[email protected]>; [email protected]

On 4/22/24 09:34, Philippe Strauss wrote:
> Hello, I'm Philippe from switzerland,
> 
> I'm writing using python a small JSON API for a mycology photos archive 
> webapp. Aside the main API endpoint are two
> helpers for an autocomplete form.
> Here is the first one:
> 
> --8<--
> @app.route('/genus/<genus>')
> def genus(genus):
>      with dbconn.cursor() as cur:
>          cur.execute("""SELECT myco.genus.name
>              FROM myco.genus
>              WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
>          lsgenus = cur.fetchall()
>          ls = []
>          for genus in lsgenus:
>              ls.append(genus[0])
>      return jsonify(ls)
> --8<--
> 
> My questions:
> - What is the best way to use in psycopg3 to express a SELECT ... WHERE 
> ... LIKE blah% ?
> - Is my code above safe or vulnerable to a injection attack?
> - What peoples having passed on the same pattern have to recommend?

Read:

https://www.psycopg.org/psycopg3/docs/basic/params.html

It will answer the above.

For this case from link:

"When parameters are used, in order to include a literal % in the query 
you can use the %% string:"

> 
> Thanks!
> 

-- 
Adrian Klaver
[email protected]






^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: Safe SELECT ... LIKE abc% in psycopg
@ 2024-04-22 16:57  Adrian Klaver <[email protected]>
  parent: Adrian Klaver <[email protected]>
  0 siblings, 0 replies; 4+ messages in thread

From: Adrian Klaver @ 2024-04-22 16:57 UTC (permalink / raw)
  To: Philippe Strauss <[email protected]>; [email protected]

On 4/22/24 09:50, Adrian Klaver wrote:
> On 4/22/24 09:34, Philippe Strauss wrote:
>> Hello, I'm Philippe from switzerland,
>>
>> I'm writing using python a small JSON API for a mycology photos 
>> archive webapp. Aside the main API endpoint are two
>> helpers for an autocomplete form.
>> Here is the first one:
>>
>> --8<--
>> @app.route('/genus/<genus>')
>> def genus(genus):
>>      with dbconn.cursor() as cur:
>>          cur.execute("""SELECT myco.genus.name
>>              FROM myco.genus
>>              WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
>>          lsgenus = cur.fetchall()
>>          ls = []
>>          for genus in lsgenus:
>>              ls.append(genus[0])
>>      return jsonify(ls)
>> --8<--
>>
>> My questions:
>> - What is the best way to use in psycopg3 to express a SELECT ... 
>> WHERE ... LIKE blah% ?
>> - Is my code above safe or vulnerable to a injection attack?
>> - What peoples having passed on the same pattern have to recommend?
> 
> Read:
> 
> https://www.psycopg.org/psycopg3/docs/basic/params.html
> 
> It will answer the above.
> 
> For this case from link:
> 
> "When parameters are used, in order to include a literal % in the query 
> you can use the %% string:"

Actually ignore the above, that only applies if you are using % in the 
query itself not in the supplied arguments.

> 
>>
>> Thanks!
>>
> 

-- 
Adrian Klaver
[email protected]






^ permalink  raw  reply  [nested|flat] 4+ messages in thread

* Re: Safe SELECT ... LIKE abc% in psycopg
@ 2024-04-22 16:59  Daniele Varrazzo <[email protected]>
  parent: Philippe Strauss <[email protected]>
  1 sibling, 0 replies; 4+ messages in thread

From: Daniele Varrazzo @ 2024-04-22 16:59 UTC (permalink / raw)
  To: Philippe Strauss <[email protected]>; +Cc: [email protected]

Hello Philippe,

Your code seems safe to me. Because the `%` is in the value, not in the
query, I don't think you need to escape it.

If any, I would suggest you to avoid using LIKE and to use the Postgres
regular expression operators (
https://www.postgresql.org/docs/current/functions-matching.html#FUNCTIONS-POSIX-REGEXP),
which integrate better with Python regular expression. Using them, your
code (which I assume be looking for a prefix) might end up looking like:

    import re
    ...
    WHERE myco.genus.name ~ %s""", ('^' + re.escape(genus.upper()),))

or using the `~*` operator if you want a non-case-sensitive match.

Note that if your table is large you can index the search using trigram
indexes: see <https://www.postgresql.org/docs/current/pgtrgm.html;. But
this is not related to psycopg.

Cheers

-- Daniele

On Mon, 22 Apr 2024 at 18:34, Philippe Strauss <[email protected]>
wrote:

> Hello, I'm Philippe from switzerland,
>
> I'm writing using python a small JSON API for a mycology photos archive
> webapp. Aside the main API endpoint are two
> helpers for an autocomplete form.
> Here is the first one:
>
> --8<--
> @app.route('/genus/<genus>')
> def genus(genus):
>      with dbconn.cursor() as cur:
>          cur.execute("""SELECT myco.genus.name
>              FROM myco.genus
>              WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
>          lsgenus = cur.fetchall()
>          ls = []
>          for genus in lsgenus:
>              ls.append(genus[0])
>      return jsonify(ls)
> --8<--
>
> My questions:
> - What is the best way to use in psycopg3 to express a SELECT ... WHERE
> ... LIKE blah% ?
> - Is my code above safe or vulnerable to a injection attack?
> - What peoples having passed on the same pattern have to recommend?
>
> Thanks!
>
> --
> Philippe Strauss
> https://straussengineering.ch/
>
>
>
>

^ permalink  raw  reply  [nested|flat] 4+ messages in thread

end of thread, other threads:[~2024-04-22 16:59 UTC | newest]

Thread overview: 4+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2024-04-22 16:34 Safe SELECT ... LIKE abc% in psycopg Philippe Strauss <[email protected]>
2024-04-22 16:50 ` Adrian Klaver <[email protected]>
2024-04-22 16:57   ` Adrian Klaver <[email protected]>
2024-04-22 16:59 ` Daniele Varrazzo <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox