On 4/22/24 09:34, Philippe Strauss wrote:
> Hello, I'm Philippe from switzerland,
>
> I'm writing using python a small JSON API for a mycology photos archive
> webapp. Aside the main API endpoint are two
> helpers for an autocomplete form.
> Here is the first one:
>
> --8<--
> @app.route('/genus/<genus>')
> def genus(genus):
> with dbconn.cursor() as cur:
> cur.execute("""SELECT myco.genus.name
> FROM myco.genus
> WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',))
> lsgenus = cur.fetchall()
> ls = []
> for genus in lsgenus:
> ls.append(genus[0])
> return jsonify(ls)
> --8<--
>
> My questions:
> - What is the best way to use in psycopg3 to express a SELECT ... WHERE
> ... LIKE blah% ?
> - Is my code above safe or vulnerable to a injection attack?
> - What peoples having passed on the same pattern have to recommend?
Read:
https://www.psycopg.org/psycopg3/docs/basic/params.html
It will answer the above.
For this case from link:
"When parameters are used, in order to include a literal % in the query
you can use the %% string:"
>
> Thanks!
>
--
Adrian Klaver
adrian.klaver@aklaver.com