Pravin
Reputation: 697
parameterized query Postgres for sql injection mitigation
stmt = "SELECT filecontent FROM filecontent WHERE filecontent_id = %d AND filecontent LIKE '%% %s %%'"%(int(result_file_pri[0]),str(myjson['recordType']))
curs.execute(stmt)
Trying to conevert above postgres query to parameterized query to itigate sql injection. The solution I found on internet is to include stmt in execute statement and take %s out of quotes i.e
curs.execute("SELECT filecontent FROM filecontent WHERE filecontent_id = %s AND filecontent LIKE %% %s %%",(int(result_file_pri[0]),str(myjson['recordType'])))
The above doesn't work for %% %s %% for me, how do I rectify the problem?
Upvotes: 1
Views: 337
Answers (1)
zerkms
Reputation: 254916
It should be the parameter that holds the percent character:
curs.execute("SELECT filecontent FROM filecontent WHERE filecontent_id = %s AND filecontent LIKE %s",
(int(result_file_pri[0]), str("%" + myjson['recordType'] + "%")))
^----------------------------^
so the wildcard is the
part of the parameter
Upvotes: 2
Related Questions
- psycopg2 and SQL injection security
- Parameterized queries with psycopg2 / Python DB-API and PostgreSQL
- Is further psycopg2 SQL injection mitigtation possible?
- Parameterize SQL Queries with psycopg2
- How to avoid SQL injection with "SELECT * FROM {table_name}"?
- How to append a query of PostgreSQL to another query in Python 3 and prevent SQL Injection?
- SQL Injection Prevention in Python - is using parameterized query enough?
- Prevent sql injection with lists in python
- Pyscopg2 SQL Injection security with LIKE clause
- Filter SQL statement against malicious injection in Python