From: | Elliot S <yields(dot)falsehood(at)gmail(dot)com> |
---|---|
To: | Federico Di Gregorio <fog(at)dndg(dot)it>, psycopg(at)postgresql(dot)org |
Subject: | Re: Sanitize schema name |
Date: | 2015-05-27 16:32:42 |
Message-ID: | 5565F1AA.7070703@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | psycopg |
>>>> In short:
>>>> 1. identifier quoting may use PQescapeIdentifier if it's
>>>> available,
>>>> otherwise the pure-psyco escaping is done
>>
>> No: only the libpq version should be used. The psycopg one is not
>> generic enough and only for internal use. The function is exposed in
>> all the currently supported libpq versions so we don't really care
>> about the older ones.
>
> Agreed.
I've removed the call out to the psycopg quoting.
>>>> 2. the %t format is now accepted, and its value must be either a
>>>> string or bytes (no error handling is done yet if this isn't the
>>>> case) -
>>>> replacement for this calls out to the identifier quoting
>>
>> I don't like this idea: %t is nowhere standard. Psycopg has already
>> powerful enough types-based adaptation: using it with identifiers has
>> always been rejected because moving to libpq parameters would break.
>> But the %t would break too so I don't see why to jump on this idea.
>> Furthermore using a different parameter goes sideways to the entire
>> type system: what if one passes a number to a %t? Looking at the patch
>> it seems like it silently discards the value. That's a no for me.
>>
>> IMO we should just do:
>>
>> 1) expose the PQescape* libpq functions as pure bytes-bytes functions
>> for people to use them as they wish. Under a good moon we should
>> roundtrip unicode around. You know, python 3...
>> 2) have a wrapper identifier object, whose adaptation result in
>> identifier escaping. With current psycopg it could be used with:
>>
>> cur.execute("update table set %s = %s", (ident(field), value))
>
> No no no. Bound variables should be easily identifiable and should not
> be mixed with identifiers. If you don't like %t, that's OK but having
> an ident behave like a bound variable isn't good either. I'd say lets
> just stick to expose quoting functions in psycopg.extensions or as
> extra methods on the connection object.
%t formatting is also removed.
>> if we want this to be used in the future:
>>
>> sql = "update table set %s = %%s" % ident(field) # [note]
>> cur.execute(sql, (value,))
>>
>> [note]: this is a lie because the libpq functions take a connection as
>> parameter too so we cannot just compose using the string % operator.
>> We can have a cursor method doing that instead, or having "ident"
>> being a cursor method.
>
> If it requires a connection, lets stick it to the connection object.
>
> federico
>
I've added a quote_ident() to the connection object.
I'm still working on my quote_ident branch
https://github.com/psycopg/psycopg2/compare/master...yieldsfalsehood:quote_ident
Return values are just bytestrings right now. bytestring input isn't
accepted on python3.4 (only py3 I tested); unicode and bytestring inputs
look ok for python2.7.
The other PQescape* functions were mentioned earlier but I haven't
touched them, yet.
From | Date | Subject | |
---|---|---|---|
Next Message | Daniele Varrazzo | 2015-05-27 18:18:29 | Re: Sanitize schema name |
Previous Message | Federico Di Gregorio | 2015-05-21 07:47:56 | Re: Sanitize schema name |