Are executesql parameters escaped?
45 views
Skip to first unread message
Jorrit
Jan 12, 2017, 8:46:28 AM1/12/17
to web2py-users
When I use db.executesql like so:
...are the cluster and active_id parameters SQL-escaped? If not what is the best way to do this?
birthdays = db.executesql("SELECT * FROM auth_user WHERE DAYOFYEAR(curdate() -2) < dayofyear(dateOfBirth) "
"AND DAYOFYEAR(curdate()) +7 >= dayofyear(dateOfBirth) "
"AND employeeState_id = {1} AND location_id IN (SELECT location_id FROM clusterLocation WHERE cluster_id={0}) ORDER BY MONTH(dateOfBirth), "
"DAY(dateOfBirth);".format(cluster, active_id), as_dict=True)
...are the cluster and active_id parameters SQL-escaped? If not what is the best way to do this?
Niphlod
Jan 13, 2017, 2:59:35 AM1/13/17
to web2py-users
when you do that, you're passing 'string'.format() (which is a string) to executesql.
the proper way is to use parameters!!!
db.executesql('select * from auth_user where id = ?', placeholders=(1, ), as_dict=True)
the nitty gritty details of the syntax depend on the driver parameter
Jorrit
Jan 13, 2017, 5:54:02 AM1/13/17
to web2py-users
Thank you!
Reply all
Reply to author
Forward
0 new messages