Skip site navigation (1) Skip section navigation (2)

Peripheral Links

Header And Logo

PostgreSQL
| The world's most advanced open source database.

Site Navigation

Search archives
  Advanced Search

Re: Protection from SQL injection

  • From: Joe <dev(at)freedomcircle(dot)net>
  • To: Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it>
  • Cc: pgsql-sql(at)postgresql(dot)org
  • Subject: Re: Protection from SQL injection
  • Date: Sun, 27 Apr 2008 14:25:06 -0400
  • Message-id: <4814C502.7070604@freedomcircle.net> <text/plain>
Ivan Sergio Borgonovo wrote:

That's better than nothing but it is still a lot of code duplication.
You've to write column names in the sql statement and in the array
and... column values are not contextual to the statement.
The apparent duplication in the example stems for its tutorial nature. In a real program, the namedict "array" (it's actually a Python tuple--an immutable array) would normally be constructed programmatically from user or other input. Note also that although Joshua chose to use dictionary keys named identical to the PG column names, they could be named differently, like "first" and "last". 
That's easy... while what I wrote above does look as requiring a
really special parser.

Furthermore from the example it looks as if all this is going to
miss the scope to prevent sql injection since it doesn't support
prepared statements.
I assume you didn't check the PEP 249 (http://www.python.org/dev/peps/pep-0249/). The execute() and executemany() Cursor object methods are precisely to prepare and execute database operations. 

Joe
Home | Main Index | Thread Index

Privacy Policy | About PostgreSQL
Copyright © 1996 – 2012 PostgreSQL Global Development Group