Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support passing parameters to SQL query #208

Open
1Dragoon opened this issue Dec 22, 2021 · 6 comments
Open

Support passing parameters to SQL query #208

1Dragoon opened this issue Dec 22, 2021 · 6 comments

Comments

@1Dragoon
Copy link

1Dragoon commented Dec 22, 2021
edited
Loading

Is it possible to send prepared statements to MSSQL? I'm able to do this with tiberius directly, but I don't see a way to do it with connectorx. Also I don't see a way to use integrated authentication in windows environments, which can also be done with the bare tiberius crate, is that also possible? EDIT: figured out how to get integrated auth, just don't specify username/password in the url

Just using Rust BTW, not python.
@1Dragoon 1Dragoon changed the title MSSQL prepared statements Tiberius operations/params (i.e. prepared statements, integrated authentication) Dec 22, 2021
@wangxiaoying
Copy link
Contributor

Hi @1Dragoon , thanks for brining up this issue! We don't support prepared statements for now. I think the difficulty here is that we need to require the input parameters' type implement the ToSql trait of all the databases. Since we support multiple databases here and each driver defines their own ToSql or equivalent trait. May I ask the performance difference between using prepared statement and not using it in your scenario? Also please kindly me know if you find an easy way to tackle the issue.

For windows integrated authentication, you can add the trusted_connection=true parameter in the uri like mssql://host:port/db?trusted_connection=true.

@1Dragoon
Copy link
Author

Sorry for not following up for a long time, this isn't really for a performance concern so much as it is a security concern. Basically the use case here is being able to easily delineate between user defined SQL code and developer defined SQL code to i.e. mitigate SQL injection.

@wangxiaoying wangxiaoying changed the title Tiberius operations/params (i.e. prepared statements, integrated authentication) Support passing parameters to SQL query Jun 9, 2022
@ghilesmeddour
Copy link

Hi 👋,

Thanks @wangxiaoying for this lib, its performance really shines <3

This feature would be very useful. I guess what's needed is something similar to params of pandas.read_sql. (PEP249)

@char101
Copy link

char101 commented Aug 7, 2022
edited
Loading

For postgresql at least we can emulate it client side

import psycopg2
import connectorx as cx

DSN = 'postgresql://username:password@host:port/dbname'

conn = None

def read_sql(sql, params=None):
    global conn
    if params:
        if conn is None:
            conn = psycopg2.connect(DSN)
        sql = conn.cursor().mogrify(sql, params).decode('utf-8')
    return cx.read_sql(DSN, sql)

@david-waterworth
Copy link

FYI it's now

from psycopg import connect, ClientCursor

with connect(DSN, cursor_factory=ClientCursor) as cn:
    sql = cn.cursor().mogrify(sql, params)

For psycopg3

@yasaslive
Copy link

Any update on this issue? I'm experimenting with connectorx and need to pass some params without injections. Is there any other ways we can use?

@alexander-beedie alexander-beedie mentioned this issue Nov 25, 2023
Closed
@alexander-beedie alexander-beedie mentioned this issue Mar 1, 2024
Merged
@redfave redfave mentioned this issue Feb 19, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@char101 @1Dragoon @david-waterworth @wangxiaoying @yasaslive @ghilesmeddour