Parameterized queries in Python with psycopg

13567 views

                  import psycopg

with psycopg.connect(conninfo) as connection:
    with connection.cursor() as cursor:
        cursor.execute(
            'SELECT id, email FROM users WHERE email = %s',
            (email,),
        )
        record = cursor.fetchone()

Even outside ORMs, parameterized database access needs to be the default habit. The query string should describe structure while the driver binds user values separately. That sounds basic, but it is still where too many internal tools quietly fail security review.

Kai Nakamura

More from Kai Nakamura

Parameterized queries in Python with psycopg

0 Comments

More from Kai Nakamura