Thread: Using standard SQL placeholders in PG
PostgreSQL ("PG") supports the notion of placeholders, as do many other relational databases. The placeholder notation in PG uses $X within the SQL. For example:
select foo
from bar
where bletch = $1
is valid SQL. The doller-notation allows re-use of positional parameters and avoids SQL injection entirely by placing the input is appropriately-typed buffers w/in the SQL statement handler. It also avoids issues with double-interpolating quotes as the placeholders are not literals and do not require SQL-quoting to be interpolated properly.
We have quite a bit of SQL here that has to be shared between Python and other packages, so using standard PG SQL statements is required.
Q: Is there any way to prepare and execute standard PG SQL statements with dollar placeholders in PsychoPG2?
Thanks
On Wed, 13 Oct 2021 at 15:44, Lembark, Steven <Steven.Lembark@broadridge.com> wrote: >... The doller-notation allows re-use of positional parameters and avoids SQL injection entirely by placing the input isappropriately-typed buffers w/in the SQL statement handler. It also avoids issues with double-interpolating quotes as theplaceholders are not literals and do not require SQL-quoting to be interpolated properly. You still require to convert items to string in the right format understood by Postgres, which might be different from the Python string form. > Q: Is there any way to prepare and execute standard PG SQL statements with dollar placeholders in PsychoPG2? No. psycopg2 is entirely built around "convert to postgres format and add quotes". We have just released Psycopg 3 exactly to solve this kind of problem. It also has no direct access to PQexecParams, but it only uses PQexec so there's no easy way to plug in the $1 params. Note that still Psycopg 3 doesn't allow you to use $1 placeholders, but they are the ones it uses internally. There is an internal object, PostgresQuery, that takes a %s-style query and, among other things, converts it in $n format. It wouldn't be a difficult thing to write a cursor to do less work and just convert the arguments. In Psycopg 3 you can also go a level lower and call directly PQexecParams passing the query and arguments you want, in postgres format, but then you have to do the conversion from Python objects to Postgres format yourself. I would rather put together a cursor to do so, as above. So, things can be done, but in Psycopg 3. -- Daniele