| From: | Philippe Strauss <philippe(at)straussaudio(dot)ch> |
|---|---|
| To: | psycopg(at)lists(dot)postgresql(dot)org |
| Subject: | Safe SELECT ... LIKE abc% in psycopg |
| Date: | 2024-04-22 16:34:40 |
| Message-ID: | 6b4e2581-8b08-4f0c-b159-cd078fd988a9@straussaudio.ch |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | psycopg |
Hello, I'm Philippe from switzerland,
I'm writing using python a small JSON API for a mycology photos archive
webapp. Aside the main API endpoint are two
helpers for an autocomplete form.
Here is the first one:
--8<--
@app.route('/genus/<genus>')
def genus(genus):
with dbconn.cursor() as cur:
cur.execute("""SELECT myco.genus.name
FROM myco.genus
WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
lsgenus = cur.fetchall()
ls = []
for genus in lsgenus:
ls.append(genus[0])
return jsonify(ls)
--8<--
My questions:
- What is the best way to use in psycopg3 to express a SELECT ... WHERE
... LIKE blah% ?
- Is my code above safe or vulnerable to a injection attack?
- What peoples having passed on the same pattern have to recommend?
Thanks!
--
Philippe Strauss
https://straussengineering.ch/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Adrian Klaver | 2024-04-22 16:50:31 | Re: Safe SELECT ... LIKE abc% in psycopg |
| Previous Message | Daniele Varrazzo | 2024-04-11 07:56:22 | Waiting for Psycopg 3.2 |