SQL injection in a ~ or LIKE statement
| От | |
|---|---|
| Тема | SQL injection in a ~ or LIKE statement |
| Дата | |
| Msg-id | 22553802.1161346079451.JavaMail.root@web20 обсуждение исходный текст |
| Ответы |
Re: SQL injection in a ~ or LIKE statement
|
| Список | pgsql-general |
Hello,
I'm concerned about whether the usual parameter escaping mechanism is enough in a LIKE or regular expression search.
I run a recent Postgres version and use the Python connector psycopg2 for a web application. I understand that if I
alwaysescape as in
dBres=dBcsr.execute('SELECT docText FROM documents WHERE name=%(storyName)s',{'storyName':storyName})
then I am doing the right thing. Suppose now that I want to search the text of those documents? I have been unable to
findif I need to anything more for a LIKE or regex search, and also unable to find any assurance that it is enough.
(Nodoubt I've not looked in the right place; sorry.)
I plan to add full text searching also; is the escaping mechanism enough there?
Thank you for your help,
Jim
В списке pgsql-general по дате отправления: