| From: | "Uwe C(dot) Schroeder" <uwe(at)oss4u(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Cc: | Volkan YAZICI <yazicivo(at)ttnet(dot)net(dot)tr>, hefferon9(at)adelphia(dot)net |
| Subject: | Re: SQL injection in a ~ or LIKE statement |
| Date: | 2006-10-22 21:33:12 |
| Message-ID: | 200610221433.12693.uwe@oss4u.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Sunday 22 October 2006 12:32, Volkan YAZICI wrote:
> On Oct 20 05:07, hefferon9(at)adelphia(dot)net wrote:
> > I'm concerned about whether the usual parameter escaping mechanism is
> > enough in a LIKE or regular expression search.
> >
> > I run a recent Postgres version and use the Python connector psycopg2
> > for a web application. I understand that if I always escape as in
> >
> > dBres=dBcsr.execute('SELECT docText FROM documents WHERE
> > name=%(storyName)s',{'storyName':storyName})
> >
> > then I am doing the right thing.
>
> Please pay attention that [IIRC] psycopg2 uses its own escaping
> mechanism. Therefore, you should better ask this question on psycopg2
> ml.
>
> > I plan to add full text searching also; is the escaping mechanism
> > enough there?
>
> If I were you, I'd ask psycopg2 developers to implement parameters that
> are natively supported by PostgreSQL. With parameters, you won't mess up
> with any escaping or injection related issue.
psycopg2 supports parameters which are escaped properly.
Uwe
--
Open Source Solutions 4U, LLC 1618 Kelly St
Phone: +1 707 568 3056 Santa Rosa, CA 95401
Cell: +1 650 302 2405 United States
Fax: +1 707 568 6416
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bob Pawley | 2006-10-22 22:17:46 | Column Deletion |
| Previous Message | Volkan YAZICI | 2006-10-22 19:32:48 | Re: SQL injection in a ~ or LIKE statement |