user348484
Reputation: 41
Is the fetchval in asyncpg safly for sql injections?
Is the fetchval in asyncpg safly for sql injections?
async def get_user_id_by_bot_id(self, bot_id):
record: Record = await self.pool.fetchval(self.GET_USER_ID_BY_BOT_ID, (bot_id))
print(record)
return record
Thank You for answers.
Upvotes: 1
Views: 2037
Answers (1)
Bluenix
Reputation: 429
Yes, asyncpg uses PostgreSQL's syntax for parameter substitution. As long as you use that feature, by passing the arguments and using $ followed by the index of the argument, you should be safe!
You shouldn't put the args in a tuple like you show in your code, but do this:
record: Record = await self.pool.fetchval(self.GET_USER_ID_BY_BOT_ID, bot_id)
Some more examples of how you should correctly use parameter substitution:
record = await self.pool.fetchval("SELECT * FROM table WHERE id = $1;", my_id)
record = await self.pool.fetchval("UPDATE table SET name = $1 WHERE id = $2 AND username = $3;", new_name, my_id, username)
Upvotes: 2
Related Questions
- Read PostgreSQL tables with asyncpg
- How to catch SQL errors with AsyncPG?
- Error 'str' object has no attribute 'toordinal' in asyncpg
- How to get "returning id" using asyncpg(pgsql)
- How to pass the value of a postgres array to asyncpg connection.execute as parameter?
- How can I return multiple rows in AsyncPG?
- asyncpg SELECT WHERE IN gives postgresSyntaxError
- How to fix "syntax error at or near "$1" with asyncpg API
- asyncpg fetch feedback (python)
- How to understand and use asyncio in Python using PostgreSQL?