Talk:Python PostgreSQL Driver TODO

From PostgreSQL wiki

Jump to: navigation, search

Bind Variables / SQL Injection?

I had added this to the known issues list:

  • Psycopg2 inserts bind variables (sql parameters) into the query string before sending to libpq, thus potentially exposing the application to SQL injection attacks.

However I'm not certain about that. I do know that psycopg2 performs quoting on the sql params, but I'm not certain whether that's sufficient to prevent SQL injection. It does not appear that psycopg2 uses libpq's parameter facilities but it's unclear why. -- PrestonLanders 16:10, 8 May 2012 (UTC)

Personal tools