From: | Ivan Sergio Borgonovo <mail(at)webthatworks(dot)it> |
---|---|
To: | pgsql-sql(at)postgresql(dot)org |
Subject: | Re: Protection from SQL injection |
Date: | 2008-04-27 17:18:40 |
Message-ID: | 20080427191840.494b6bf7@dawn.webthatworks.it |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-sql |
On Sun, 27 Apr 2008 11:55:18 -0400
Joe <dev(at)freedomcircle(dot)net> wrote:
> Ivan Sergio Borgonovo wrote:
> > It'd be nice to have a wrapper that let you write prepared
> > statements this way:
> >
> > "select a.id, b.name from a join b on a.id=b.id where
> > a.status=$variable1 and b.id>$variable2 etc... but that's a pretty
> > good change to any language parser.
> Python already supports something like that. See PEP 249
> (http://www.python.org/dev/peps/pep-0249/) under Module Interface,
> the description of the paramstyle parameter. Psycopg2 supports both
> the "format" (C printf) and "pyformat" styles. See the last section
> on this page for an example using the pyformat style:
> http://www.devx.com/opensource/Article/29071/0/page/3.
That's better than nothing but it is still a lot of code duplication.
You've to write column names in the sql statement and in the array
and... column values are not contextual to the statement.
That's easy... while what I wrote above does look as requiring a
really special parser.
Furthermore from the example it looks as if all this is going to
miss the scope to prevent sql injection since it doesn't support
prepared statements.
--
Ivan Sergio Borgonovo
http://www.webthatworks.it
From | Date | Subject | |
---|---|---|---|
Next Message | Joe | 2008-04-27 18:25:06 | Re: Protection from SQL injection |
Previous Message | Mag Gam | 2008-04-27 16:14:49 | Re: Curious about wide tables. |