Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add support for parametrized queries

See original GitHub issue


Props for this wonderful tool!

My understanding is that the end product for the user is always the SQL string as returned by calling str on a Query object. Such string can then be passed to whatever database interface the user is using. However, SQL interfaces also accept so-called parametrized queries, where the input isn’t a single SQL string, but rather a string containing placeholders alongside a tuple containing values to replace the placeholders with. Parameterized queries are very important as they’re the only working solution against SQL injection.

The interface could be improved such that the Query object would have two properties statement and values corresponding respectively to the parametrized statement and the values for this statement. The behavior of str would still be relevant as it’s always useful to know what a query looks like even when parametrized, although its output should be documented as insecure with unstrusted data.

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:5
  • Comments:6 (2 by maintainers)

github_iconTop GitHub Comments

grigicommented, Jan 7, 2019

I’m looking at adding parametrised query support. My planned implementation is something along the lines of:

Instead of calling query.get_sql() (or str(query)) instead add a query.get_parametrised_sql() which would return Tuple[str, List], and leaves PyPika to return the objects in the right order, so we can just do an execute(sql, *params)

The reason is that the way PyPika is used (in the monoid pattern) order of parameters is only determined at evaluation time, and is dependant on the dialect. I’d rather not duplicate that logic, prone to forward compatibility issues etc… We hand the objects to pypika, and it hands them back to us in the right order with the equivalent sql.

Is there anything I’m overlooking @twheys ?

twheyscommented, Apr 1, 2018

Thanks for raising this ticket. Can definitely do something like that in the near future.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Query Parameterization - OWASP Cheat Sheet Series
The following chart demonstrates, with real-world code samples, how to build parameterized queries in most of the common web languages.
Read more >
Use parameters to ask for input when running a query
Open the union query in SQL view. · Add a WHERE clause that contains the fields you want to add parameters to. ·...
Read more >
Running parameterized queries | BigQuery - Google Cloud
BigQuery supports query parameters to help prevent SQL injection when queries are constructed using user input. This feature is only available with Google ......
Read more >
Using parameterized queries - Amazon Athena
Currently, parameterized queries are supported only for SELECT , INSERT INTO , CTAS , and UNLOAD statements. In parameterized queries, parameters are positional ......
Read more >
How do parameterized queries help against SQL injection?
Passing txtTagNumber as a query parameter SqlCommand cmd = new SqlCommand("INSERT INTO dbo.Cars " +"VALUES(@TagNbr);" , conn); cmd.Parameters. · Converting ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found