| From: | <hefferon9(at)adelphia(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | SQL injection in a ~ or LIKE statement |
| Date: | 2006-10-20 12:07:59 |
| Message-ID: | 22553802.1161346079451.JavaMail.root@web20 |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello,
I'm concerned about whether the usual parameter escaping mechanism is enough in a LIKE or regular expression search.
I run a recent Postgres version and use the Python connector psycopg2 for a web application. I understand that if I always escape as in
dBres=dBcsr.execute('SELECT docText FROM documents WHERE name=%(storyName)s',{'storyName':storyName})
then I am doing the right thing. Suppose now that I want to search the text of those documents? I have been unable to find if I need to anything more for a LIKE or regex search, and also unable to find any assurance that it is enough. (No doubt I've not looked in the right place; sorry.)
I plan to add full text searching also; is the escaping mechanism enough there?
Thank you for your help,
Jim
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andreas Seltenreich | 2006-10-20 12:10:48 | Re: why not kill -9 postmaster |
| Previous Message | Uyelik | 2006-10-20 11:59:37 | Where is the pg_terminate_backend() function? Way to execute shell cmd |