I'm writing using python a small JSON API for a mycology photos archive webapp. Aside the main API endpoint are two helpers for an autocomplete form. Here is the first one:
--8<-- @app.route('/genus/<genus>') def genus(genus): with dbconn.cursor() as cur: cur.execute("""SELECT myco.genus.name FROM myco.genus WHERE myco.genus.name LIKE %s""", (genus.upper()+'%',)) lsgenus = cur.fetchall() ls = [] for genus in lsgenus: ls.append(genus[0]) return jsonify(ls) --8<--
My questions: - What is the best way to use in psycopg3 to express a SELECT ... WHERE ... LIKE blah% ? - Is my code above safe or vulnerable to a injection attack? - What peoples having passed on the same pattern have to recommend?