SQL injection are constantly ranked among the most common attacks against systems. For this reason, ORM's offer many ways of dealing with injections. A common solution is bind variables, a placeholder in the query that is sanitized by the ORM for safe execution in the database.
However, while binding values is very common, I often find myself needing to use table and column names as variables as well. A stroll through psycopg2
's documentation led me to the discovery of psycopg2.sql.Identifer
and psycopg2.sql.Literal
, two low-level functions for safely binding any type of variable in a query.
This discovery sparked my fourth article for RealPython, "Preventing SQL Injection Attacks With Python". If you're not sure what SQL injection is, this article will walk you through everything you need to know. If you are an ORM veteran, check your knowledge and get yourself familiar with the low level psycopg2.sql
module.
Read "Preventing SQL Injection Attacks With Python" on RealPython ≫