New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DM-10267: Port HSC support for PostgreSQL registries to LSST #121
Conversation
if len(self.config.unique) > 0: | ||
cmd += ", UNIQUE(" + ",".join(self.config.unique) + ")" | ||
cmd += ")" | ||
cur.execute(cmd) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought when using dbapi, it was preferred to let the cursor.execute(operation, parameters)
method substitute the values into the string, for protection against Bobby Tables. It looks like you're doing the substitutions above. Are you sure you're safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had Little Bobby Tables in my mind as I was working, but it doesn't look like the placeholders work when used for table names or types --- just values.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aha, yes. I had that experience too.
I'm not sure what the security requirements are in that case. @timj?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we always used ?
placeholders.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does the db library have a method for cleaning external input?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when you call execute
, and pass a string with placeholders in for operation
and parameters
in, the parameters will be cleaned before substituted into the operation
string.
the placeholder character seems to depend on paramstyle(?)
1967646
to
57c2b90
Compare
Allows code re-use.
DB-API (PEP 249) does not have a Connection.execute method, but has Cursor.execute. Using DB-API allows us to abstract the database back-end.
INSERT OR IGNORE is SQLite-specific; replace it with something more standard.
The choice of placeholder (e.g., '?' in SQLite) varies by database and/or python database module. Make this a class variable. We need to cast values to the expected type, because not all databases and/or python database modules are lax about the type (SQLite is, PostgreSQL is not).
57c2b90
to
f7293e7
Compare
No description provided.