Re: Protection from SQL injection

From: Joe <dev(at)freedomcircle(dot)net>
To: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
Cc: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 15:55:18
Message-ID: 4814A1E6.1070200@freedomcircle.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

Ivan Sergio Borgonovo wrote:
> It'd be nice to have a wrapper that let you write prepared statements
> this way:
>
> "select a.id, b.name from a join b on a.id=b.id where
> a.status=$variable1 and b.id>$variable2 etc... but that's a pretty
> good change to any language parser.
>

Python already supports something like that. See PEP 249
(http://www.python.org/dev/peps/pep-0249/), under Module Interface, the
description of the paramstyle parameter. Psycopg2 supports both the
"format" (C printf) and "pyformat" styles. See the last section on this
page for an example using the pyformat style:
http://www.devx.com/opensource/Article/29071/0/page/3.

Joe

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message Jonah H. Harris 2008-04-27 16:06:41 Re: Curious about wide tables.
Previous Message Shane Ambler 2008-04-27 15:32:37 Re: Curious about wide tables.