DM-10267: Port HSC support for PostgreSQL registries to LSST #121
Conversation
| if len(self.config.unique) > 0: | ||
| cmd += ", UNIQUE(" + ",".join(self.config.unique) + ")" | ||
| cmd += ")" | ||
| cur.execute(cmd) |
There was a problem hiding this comment.
I thought when using dbapi, it was preferred to let the cursor.execute(operation, parameters) method substitute the values into the string, for protection against Bobby Tables. It looks like you're doing the substitutions above. Are you sure you're safe?
There was a problem hiding this comment.
I had Little Bobby Tables in my mind as I was working, but it doesn't look like the placeholders work when used for table names or types --- just values.
There was a problem hiding this comment.
aha, yes. I had that experience too.
I'm not sure what the security requirements are in that case. @timj?
There was a problem hiding this comment.
I thought we always used ? placeholders.
There was a problem hiding this comment.
does the db library have a method for cleaning external input?
There was a problem hiding this comment.
when you call execute, and pass a string with placeholders in for operation and parameters in, the parameters will be cleaned before substituted into the operation string.
the placeholder character seems to depend on paramstyle(?)
PaulPrice
force-pushed
the
tickets/DM-10267
branch
from
1967646
to
57c2b90
Compare
Allows code re-use.
DB-API (PEP 249) does not have a Connection.execute method, but has Cursor.execute. Using DB-API allows us to abstract the database back-end.
INSERT OR IGNORE is SQLite-specific; replace it with something more standard.
The choice of placeholder (e.g., '?' in SQLite) varies by database and/or python database module. Make this a class variable. We need to cast values to the expected type, because not all databases and/or python database modules are lax about the type (SQLite is, PostgreSQL is not).
PaulPrice
force-pushed
the
tickets/DM-10267
branch
from
57c2b90
to
f7293e7
Compare
No description provided.