Re: How do I use parameterized queries with LIKE?

On 29/05/12 02:30, W. Matthew Wilson wrote:
> On Mon, May 28, 2012 at 6:42 PM, Daniele Varrazzo
> <daniele.varrazzo@gmail.com> wrote:
>> > If you have parameters in the query, % is used as placeholder prefix.
>> > You must use %% to include a literal % in the query:
>> >
>> >    In [14]: cur.execute("""select email_address from customer where
>> >        email_address like '%%' || %s || '%%'""", ('matt',))
>> >
>> > or you can add the % to the value instead of the query:
>> >
>> >    In [17]: cur.execute("""select email_address from customer where
>> >        email_address like %s""", ('%matt%',))
> Thanks so much!  I'm using the first solution, so that I can just
> extract user-submitted data and pass it right in, rather than
> prepending and appending '%' on the user data.

If you're using user-submitted data remember to ALWAYS use bound
variables and never fallback to Python string interpolation: SQL
injection lurks.

federico

--
Federico Di Gregorio                         federico.digregorio@dndg.it
Studio Associato Di Nunzio e Di Gregorio                  http://dndg.it
  Gli avvoltoi cinesi si nutrono di arte, ma possono anche mangiare
   i `domani'.                                        -- Haruki Murakami