Re: SQL injection in a ~ or LIKE statement

On Oct 20 05:07, hefferon9@adelphia.net wrote:
> I'm concerned about whether the usual parameter escaping mechanism is
> enough in a LIKE or regular expression search.
>
> I run a recent Postgres version and use the Python connector psycopg2
> for a web application.  I understand that if I always escape as in
>
>   dBres=dBcsr.execute('SELECT docText FROM documents WHERE
>   name=%(storyName)s',{'storyName':storyName})
>
> then I am doing the right thing.

Please pay attention that [IIRC] psycopg2 uses its own escaping
mechanism.  Therefore, you should better ask this question on psycopg2
ml.

> I plan to add full text searching also; is the escaping mechanism
> enough there?

If I were you, I'd ask psycopg2 developers to implement parameters that
are natively supported by PostgreSQL. With parameters, you won't mess up
with any escaping or injection related issue.


Regards.