Home > mailing lists

Re: SQL injection in a ~ or LIKE statement - Mailing list pgsql-general

From	Volkan YAZICI
Subject	Re: SQL injection in a ~ or LIKE statement
Date	October 23, 2006 07:21:32
Msg-id	20061023071534.GA1363@alamut Whole thread Raw
In response to	Re: SQL injection in a ~ or LIKE statement ("Uwe C. Schroeder" <uwe@oss4u.com>)
List	pgsql-general

Tree view

On Oct 22 02:33, Uwe C. Schroeder wrote:
> On Sunday 22 October 2006 12:32, Volkan YAZICI wrote:
> > If I were you, I'd ask psycopg2 developers to implement parameters that
> > are natively supported by PostgreSQL. With parameters, you won't mess up
> > with any escaping or injection related issue.
>
> psycopg2 supports parameters which are escaped properly.

You're wrong. psycopg uses Python style parameters and escapes the
specified input before inserting into query string. See documentation of
PQexecParams() for the "parameters" I mentioned. I think, you're
confusing terms. I just checked psycopg2 source code and couldn't see
any parameter implementation.

Regards.

pgsql-general by date:

From: Joost Kraaijeveld
Date: 23 October 2006, 06:22:30
Subject: Re: How to determine initdb parameters on old database?

From: Alban Hertroys
Date: 23 October 2006, 07:43:27
Subject: Re: Overload after some minutes, please help!

Re: SQL injection in a ~ or LIKE statement - Mailing list pgsql-general

Previous

Next