Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rywyq-001Db8-2C for psycopg@arkaria.postgresql.org; Mon, 22 Apr 2024 16:57:24 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rywyn-009FnX-5S for psycopg@arkaria.postgresql.org; Mon, 22 Apr 2024 16:57:21 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rywym-009Fmz-AA for psycopg@lists.postgresql.org; Mon, 22 Apr 2024 16:57:20 +0000 Received: from wfout6-smtp.messagingengine.com ([64.147.123.149]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rywyi-0046pF-Hw for psycopg@lists.postgresql.org; Mon, 22 Apr 2024 16:57:18 +0000 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailfout.west.internal (Postfix) with ESMTP id 7EEBE1C0010B; Mon, 22 Apr 2024 12:57:12 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Mon, 22 Apr 2024 12:57:12 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aklaver.com; h= cc:content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm2; t=1713805032; x=1713891432; bh=fZa0ieYticE+YvITcCPHXazNSRls5C6Dl3CHBcB2o8I=; b= Yi+Wx+0IOrswaj26EPGHeIqynqIB/tOEDJSFt6V+gWGl1cVe7fw3cadQLsFRkY0K QKWVa5gptqhvmZ8RWSorFD0AQRmGbB9EtP773P2HI96z4mM4Xdo8MVK+aeJ1X6qK DfvBed0nbYa7juX+4QdkTfXajilEAGoo9Svv9rbjMnJeXAmw7tBxxgHBUOXjPkN0 mGvGQ1arH6VoOKvzsc9ydpMVXNpkbef0mnw5sKJC//N3W7RPKnXBiE7umKbFZ7EL UXTW9x+wUgDn156KGMl5VZHKLWDCdJsloeTEP16AWC6vj7cRqSExwCi23+26DUe+ LCwEmNe04v1j5sQyMbbCPw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1713805032; x= 1713891432; bh=fZa0ieYticE+YvITcCPHXazNSRls5C6Dl3CHBcB2o8I=; b=Q 65KSYhX9m8wvbICtcisYtFmsCA1thsb4WA3ZyvAnXl+kAMAeeg+cQgFWP+WDDAQp 65KrYY0GEyk7h2LZQpfR2vGWPgXzp2WADZVcDgzxPec6FROlhIcRzAo3qSsK/Abw YRKNr3LpmLxPSYrAV4JWoYOELmObNIrx29ZR1aKSz9Z+xtB0QBdkfN8kacK9TADP 0xgCFIvmvYZ08wAA809JlQTokjXY0Q5FYLawsJAjMbiH10KbMjx2xFM72WElkTrt JkqNwQPm5qE0xLTHCr2vpas+gt7UO22LBAGPbsMfaeMec7Y/T/54/ozeIpDt+lRk Zzm9+YHVXCDrsFcdU737Q== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudekledguddtjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfuhffvfhgjtgfgsehtkeertddtvdejnecuhfhrohhmpeetughr ihgrnhcumfhlrghvvghruceorggurhhirghnrdhklhgrvhgvrhesrghklhgrvhgvrhdrtg homheqnecuggftrfgrthhtvghrnhepieevkeefkeejgefffeejfeegkeegkeeuueekgeei gfeuffefteefvedtueelkedvnecuffhomhgrihhnpehgvghnuhhsrdhnrghmvgdpphhshi gtohhpghdrohhrghenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhl fhhrohhmpegrughrihgrnhdrkhhlrghvvghrsegrkhhlrghvvghrrdgtohhm X-ME-Proxy: Feedback-ID: i76984098:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 22 Apr 2024 12:57:11 -0400 (EDT) Message-ID: <8e2b8001-1b48-46ee-9a37-30da7aff4c68@aklaver.com> Date: Mon, 22 Apr 2024 09:57:10 -0700 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Safe SELECT ... LIKE abc% in psycopg From: Adrian Klaver To: Philippe Strauss , psycopg@lists.postgresql.org References: <6b4e2581-8b08-4f0c-b159-cd078fd988a9@straussaudio.ch> <387a4f5e-5886-443d-bc4e-e649706173a4@aklaver.com> Content-Language: en-US In-Reply-To: <387a4f5e-5886-443d-bc4e-e649706173a4@aklaver.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk On 4/22/24 09:50, Adrian Klaver wrote: > On 4/22/24 09:34, Philippe Strauss wrote: >> Hello, I'm Philippe from switzerland, >> >> I'm writing using python a small JSON API for a mycology photos >> archive webapp. Aside the main API endpoint are two >> helpers for an autocomplete form. >> Here is the first one: >> >> --8<-- >> @app.route('/genus/') >> def genus(genus): >>      with dbconn.cursor() as cur: >>          cur.execute("""SELECT myco.genus.name >>              FROM myco.genus >>              WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',)) >>          lsgenus = cur.fetchall() >>          ls = [] >>          for genus in lsgenus: >>              ls.append(genus[0]) >>      return jsonify(ls) >> --8<-- >> >> My questions: >> - What is the best way to use in psycopg3 to express a SELECT ... >> WHERE ... LIKE blah% ? >> - Is my code above safe or vulnerable to a injection attack? >> - What peoples having passed on the same pattern have to recommend? > > Read: > > https://www.psycopg.org/psycopg3/docs/basic/params.html > > It will answer the above. > > For this case from link: > > "When parameters are used, in order to include a literal % in the query > you can use the %% string:" Actually ignore the above, that only applies if you are using % in the query itself not in the supplied arguments. > >> >> Thanks! >> > -- Adrian Klaver adrian.klaver@aklaver.com