Parameterized queries with psycopg2 / Python DB-API and PostgreSQL

python postgresql psycopg2
jeffcook2150 picture jeffcook2150 · Sep 23, 2009 · Viewed 49.9k times · Source

What's the best way to make psycopg2 pass parameterized queries to PostgreSQL? I don't want to write my own escpaing mechanisms or adapters and the psycopg2 source code and examples are difficult to read in a web browser.

If I need to switch to something like PyGreSQL or another python pg adapter, that's fine with me. I just want simple parameterization.

Answer

Hank Gay picture Hank Gay · Sep 24, 2009

psycopg2 follows the rules for DB-API 2.0 (set down in PEP-249). That means you can call execute method from your cursor object and use the pyformat binding style, and it will do the escaping for you. For example, the following should be safe (and work):

cursor.execute("SELECT * FROM student WHERE last_name = %(lname)s", 
               {"lname": "Robert'); DROP TABLE students;--"})

Related questions

DatabaseError: current transaction is aborted, commands ignored until end of transaction block?

I got a lot of errors with the message : "DatabaseError: current transaction is aborted, commands ignored until end of transaction block" after changed from python-psycopg to python-psycopg2 as Django project's database engine. The code remains the same, just don't know …

Read More
How to set up a PostgreSQL database in Django

I'm new to Python and Django. I'm configuring a Django project using a PostgreSQL database engine backend, But I'm getting errors on each database operation. For example when I run manage.py syncdb, I'm getting: C:\xampp\htdocs\djangodir>…

Read More
Error: No module named psycopg2.extensions

I am trying to set up a PostgreSQL database for my django project, which I believe I have done now thanks to the replies to my last question Problems setting up a postgreSQL database for a django project. I am …

Read More