How to compare with substring without sql injection?

Y

yukharpaev2017-05-03 19:49:38

Python

yukharpaev, 2017-05-03 19:49:38

The request is formed in the python module.
Database - PostgreSQL.
There is a comparison with a substring in the sql query:

'''
SELECT *
FROM TableTemp
WHERE "SomeColumn" LIKE '%{0}%'
'''.format(<some_string>)

If the string is:
%' --
then the test will always return "True".
Additionally, you can make a sql injection
. Tell me, how to properly process a string so that it is taken into account when searching, but does not spoil the query and there are no sql injections?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

sim3x, 2017-05-03
@sim3x

initd.org/psycopg/docs/usage.html#query-parameters
Psycopg casts Python variables to SQL literals by type. Many standard Python types are already adapted to the correct SQL representation.
Example: the Python function call:

>>> cur.execute(
...     """INSERT INTO some_table (an_int, a_date, a_string)
...         VALUES (%s, %s, %s);""",
...     (10, datetime.date(2005, 11, 18), "O'Reilly"))
is converted into the SQL command:

INSERT INTO some_table (an_int, a_date, a_string)
 VALUES (10, '2005-11-18', 'O''Reilly');

Named arguments are supported too using %(name)s placeholders. Using named arguments the values can be passed to the query in any order and many placeholders can use the same values:

>>> cur.execute(
...     """INSERT INTO some_table (an_int, a_date, another_date, a_string)
...         VALUES (%(int)s, %(date)s, %(date)s, %(str)s);""",
...     {'int': 10, 'str': "O'Reilly", 'date': datetime.date(2005, 11, 18)})