Re: SQL injection in a ~ or LIKE statement
От | Volkan YAZICI |
---|---|
Тема | Re: SQL injection in a ~ or LIKE statement |
Дата | |
Msg-id | 20061022193248.GF1374@alamut обсуждение исходный текст |
Ответ на | SQL injection in a ~ or LIKE statement (<hefferon9@adelphia.net>) |
Ответы |
Re: SQL injection in a ~ or LIKE statement
|
Список | pgsql-general |
On Oct 20 05:07, hefferon9@adelphia.net wrote: > I'm concerned about whether the usual parameter escaping mechanism is > enough in a LIKE or regular expression search. > > I run a recent Postgres version and use the Python connector psycopg2 > for a web application. I understand that if I always escape as in > > dBres=dBcsr.execute('SELECT docText FROM documents WHERE > name=%(storyName)s',{'storyName':storyName}) > > then I am doing the right thing. Please pay attention that [IIRC] psycopg2 uses its own escaping mechanism. Therefore, you should better ask this question on psycopg2 ml. > I plan to add full text searching also; is the escaping mechanism > enough there? If I were you, I'd ask psycopg2 developers to implement parameters that are natively supported by PostgreSQL. With parameters, you won't mess up with any escaping or injection related issue. Regards.
В списке pgsql-general по дате отправления: