Sql prefix for string literal

kjeldflarup · December 31, 2021, 10:33am

Now I was a bit lazy and did this update of my database
cur.execute(f"UPDATE `account` SET `amount` = {amount} WHERE `account`.`id` = {id};")

That is of course a no go, as this allows for sql injection. It should be like this:

query = "UPDATE `account` SET `amount` = %s WHERE `account`.`id` = %s;"
data = ( amount, id )
update = ( query, data )
cur.execute(query, data )

Then I thought, is there a sql prefix

cur.execute(q"UPDATE `account` SET `amount` = {amount} WHERE `account`.`id` = {id};")

The q prefix would then return a list with a query and the data array (which execute should be modified to accept)

query = "UPDATE `account` SET `amount` = %s WHERE `account`.`id` = %s;"
data = ( amount, id )
return ( query, data )

This would make it easier to apply security from the start, and of course not conflict readability with security

pf_moore · December 31, 2021, 10:59am

See PEP 501 which specifically mentions SQL as a use case. It’s currently deferred, but there’s extensive discussion on the python-ideas mailing list from some time back (probably 5 or 6 years ago) that you might find interesting or relevant.

Topic		Replies	Views
Deprecate PEP 249 (DB-API 2.0) Ideas	28	815	March 2, 2024
Allow for arbitrary string prefix of strings Ideas	15	2044	December 29, 2022
Unexpected behavior in sqlite3 module with query parameterization Python Help help	5	606	April 19, 2023
Coding a dynamic SQLite update query where a criterion or assignment may be None? Python Help	0	356	December 17, 2023
Add ability to define literal prefixes in classes Ideas builtins	4	593	July 24, 2023

Sql prefix for string literal

Related Topics