Skip site navigation (1) Skip section navigation (2)

Re: Protection from SQL injection

From: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
To: pgsql-sql(at)postgresql(dot)org
Subject: Re: Protection from SQL injection
Date: 2008-04-27 17:18:40
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-sql
On Sun, 27 Apr 2008 11:55:18 -0400
Joe <dev(at)freedomcircle(dot)net> wrote:

> Ivan Sergio Borgonovo wrote:
> > It'd be nice to have a wrapper that let you write prepared
> > statements this way:
> >
> > "select, from a join b on where
> > a.status=$variable1 and>$variable2 etc... but that's a pretty
> > good change to any language parser.

> Python already supports something like that. See PEP 249 
> (, under Module Interface,
> the description of the paramstyle parameter. Psycopg2 supports both
> the "format" (C printf) and "pyformat" styles. See the last section
> on this page for an example using the pyformat style: 

That's better than nothing but it is still a lot of code duplication.
You've to write column names in the sql statement and in the array
and... column values are not contextual to the statement.
That's easy... while what I wrote above does look as requiring a
really special parser.

Furthermore from the example it looks as if all this is going to
miss the scope to prevent sql injection since it doesn't support
prepared statements.

Ivan Sergio Borgonovo

In response to


pgsql-sql by date

Next:From: JoeDate: 2008-04-27 18:25:06
Subject: Re: Protection from SQL injection
Previous:From: Mag GamDate: 2008-04-27 16:14:49
Subject: Re: Curious about wide tables.

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group