Passing table name as a parameter #605
Comments
|
asyncpg does not do query argument interpolation in any form. The query you write gets passed directly to PostgreSQL. This is unlike psycopg2 which has extensive query rewriting/interpolation mechanisms. |
|
Okay. That is fine. I know its kind of a niche request. I'm multiplexing requests into different tables and need to make sure the requests cant inject arbitrary SQL to my queries. I solved it with properly validating and restricting the input from my service with regex. Not sure if we should keep this ticket open or not. It would be a nice feature, but I understand if it doesn't fit. |
This is outside of scope and can be solved by a wrapper library. |
|
Do you have any recommendations for said wrapper library? |
|
@PhazonicRidley I have been looking into this, and using the build in postgres function |
Hi there,
Thanks for a great library. I just swapped from
aiopgand I'm impressed withasyncpgso far.I'm trying to pass a table name as an input parameter, like this:
And getting:
asyncpg.exceptions.PostgresSyntaxError: syntax error at or near "$1"In
psycopg2you solve it with a specialIdentifierclass as described in this post: https://stackoverflow.com/questions/13793399/passing-table-name-as-a-parameter-in-psycopg2My thoughts so far:
conn.fetchrow(f"select count(*) from {asyncpg.sanitize(table)}). I've seen this earlier, but I forgot which library.$...syntax in table names also, and either make it work directly with strings, or anIdentifiertype as used bypsycopgLet me know what you think!
Håkon
The text was updated successfully, but these errors were encountered: