Home > mailing lists

Is passing a list as a bound variable safe from SQL injection? - Mailing list psycopg

From	W. Matthew Wilson
Subject	Is passing a list as a bound variable safe from SQL injection?
Date	October 2, 2013 18:48:18
Msg-id	CAGHfCUD2sNRXQYEzPXq=nh3++b4_tm6dpnqrfq0dS1fru3xEew@mail.gmail.com Whole thread Raw
Responses	Re: Is passing a list as a bound variable safe from SQL injection?
List	psycopg

Here's the python code:

cursor.execute(textwrap.dedent("""

select *

from bundles

where bundle_id = any(%(list_of_bundle_ids))

"""), {'list_of_bundle_ids': [2,3,4,5,6,7]})

Is there more of a risk of SQL injection here by passing in a list of integers list this?

Also, is there some simple way I can pass in a list of strings that could be converted to integers, like this:

["2", "33", "444"]

When I tried passing a list containing a string, I got an "operator does not exist" error.

Finally, I feel like recently I read a blog post that described how using "= any(array[...])" was much slower than using some other approach.

But now I can't find that blog post, and I don't remember the other approach. Any ideas?

Thanks for the help!

Matt

psycopg by date:

From: Audrius Kažukauskas
Date: 30 September 2013, 20:57:02
Subject: psycopg2 doesn't use LDFLAGS from pg_config

From: Daniele Varrazzo
Date: 02 October 2013, 19:17:36
Subject: Re: Is passing a list as a bound variable safe from SQL injection?