-
Notifications
You must be signed in to change notification settings - Fork 391
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing table name as a parameter #605
Comments
asyncpg does not do query argument interpolation in any form. The query you write gets passed directly to PostgreSQL. This is unlike psycopg2 which has extensive query rewriting/interpolation mechanisms. |
Okay. That is fine. I know its kind of a niche request. I'm multiplexing requests into different tables and need to make sure the requests cant inject arbitrary SQL to my queries. I solved it with properly validating and restricting the input from my service with regex. Not sure if we should keep this ticket open or not. It would be a nice feature, but I understand if it doesn't fit. |
This is outside of scope and can be solved by a wrapper library. |
Do you have any recommendations for said wrapper library? |
@PhazonicRidley I have been looking into this, and using the build in postgres function |
Hi there,
Thanks for a great library. I just swapped from
aiopg
and I'm impressed withasyncpg
so far.I'm trying to pass a table name as an input parameter, like this:
And getting:
asyncpg.exceptions.PostgresSyntaxError: syntax error at or near "$1"
In
psycopg2
you solve it with a specialIdentifier
class as described in this post: https://stackoverflow.com/questions/13793399/passing-table-name-as-a-parameter-in-psycopg2My thoughts so far:
conn.fetchrow(f"select count(*) from {asyncpg.sanitize(table)})
. I've seen this earlier, but I forgot which library.$...
syntax in table names also, and either make it work directly with strings, or anIdentifier
type as used bypsycopg
Let me know what you think!
Håkon
The text was updated successfully, but these errors were encountered: