| From: | "W(dot) Matthew Wilson" <matt(at)tplus1(dot)com> |
|---|---|
| To: | psycopg(at)postgresql(dot)org |
| Subject: | Is passing a list as a bound variable safe from SQL injection? |
| Date: | 2013-10-02 15:48:13 |
| Message-ID: | CAGHfCUD2sNRXQYEzPXq=nh3++b4_tm6dpnqrfq0dS1fru3xEew@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | psycopg |
Here's the python code:
cursor.execute(textwrap.dedent("""
select *
from bundles
where bundle_id = any(%(list_of_bundle_ids))
"""), {'list_of_bundle_ids': [2,3,4,5,6,7]})
Is there more of a risk of SQL injection here by passing in a list of
integers list this?
Also, is there some simple way I can pass in a list of strings that could
be converted to integers, like this:
["2", "33", "444"]
When I tried passing a list containing a string, I got an "operator does
not exist" error.
Finally, I feel like recently I read a blog post that described how using
"= any(array[...])" was much slower than using some other approach.
But now I can't find that blog post, and I don't remember the other
approach. Any ideas?
Thanks for the help!
Matt
--
W. Matthew Wilson
matt(at)tplus1(dot)com
http://tplus1.com
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Daniele Varrazzo | 2013-10-02 16:17:11 | Re: Is passing a list as a bound variable safe from SQL injection? |
| Previous Message | Audrius Kažukauskas | 2013-09-30 17:56:54 | psycopg2 doesn't use LDFLAGS from pg_config |