| From: | Volkan YAZICI <yazicivo(at)ttnet(dot)net(dot)tr> |
|---|---|
| To: | hefferon9(at)adelphia(dot)net |
| Cc: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection in a ~ or LIKE statement |
| Date: | 2006-10-22 19:32:48 |
| Message-ID: | 20061022193248.GF1374@alamut |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Oct 20 05:07, hefferon9(at)adelphia(dot)net wrote:
> I'm concerned about whether the usual parameter escaping mechanism is
> enough in a LIKE or regular expression search.
>
> I run a recent Postgres version and use the Python connector psycopg2
> for a web application. I understand that if I always escape as in
>
> dBres=dBcsr.execute('SELECT docText FROM documents WHERE
> name=%(storyName)s',{'storyName':storyName})
>
> then I am doing the right thing.
Please pay attention that [IIRC] psycopg2 uses its own escaping
mechanism. Therefore, you should better ask this question on psycopg2
ml.
> I plan to add full text searching also; is the escaping mechanism
> enough there?
If I were you, I'd ask psycopg2 developers to implement parameters that
are natively supported by PostgreSQL. With parameters, you won't mess up
with any escaping or injection related issue.
Regards.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Uwe C. Schroeder | 2006-10-22 21:33:12 | Re: SQL injection in a ~ or LIKE statement |
| Previous Message | Martijn van Oosterhout | 2006-10-22 17:39:44 | Re: storage size of "bitstring"? |