On 4/22/24 09:50, Adrian Klaver wrote:
> On 4/22/24 09:34, Philippe Strauss wrote:
>> Hello, I'm Philippe from switzerland,
>>
>> I'm writing using python a small JSON API for a mycology photos
>> archive webapp. Aside the main API endpoint are two
>> helpers for an autocomplete form.
>> Here is the first one:
>>
>> --8<--
>> @app.route('/genus/<genus>')
>> def genus(genus):
>> with dbconn.cursor() as cur:
>> cur.execute("""SELECT myco.genus.name
>> FROM myco.genus
>> WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
>> lsgenus = cur.fetchall()
>> ls = []
>> for genus in lsgenus:
>> ls.append(genus[0])
>> return jsonify(ls)
>> --8<--
>>
>> My questions:
>> - What is the best way to use in psycopg3 to express a SELECT ...
>> WHERE ... LIKE blah% ?
>> - Is my code above safe or vulnerable to a injection attack?
>> - What peoples having passed on the same pattern have to recommend?
>
> Read:
>
> https://www.psycopg.org/psycopg3/docs/basic/params.html
>
> It will answer the above.
>
> For this case from link:
>
> "When parameters are used, in order to include a literal % in the query
> you can use the %% string:"
Actually ignore the above, that only applies if you are using % in the
query itself not in the supplied arguments.
>
>>
>> Thanks!
>>
>
--
Adrian Klaver
adrian.klaver@aklaver.com
