Re: Using standard SQL placeholders in PG

On Wed, 13 Oct 2021 at 15:44, Lembark, Steven
<Steven.Lembark@broadridge.com> wrote:

>... The doller-notation allows re-use of positional parameters and avoids SQL injection entirely by placing the input
isappropriately-typed buffers w/in the SQL statement handler. It also avoids issues with double-interpolating quotes as
theplaceholders are not literals and do not require SQL-quoting to be interpolated properly. 

You still require to convert items to string in the right format
understood by Postgres, which might be different from the Python
string form.

> Q: Is there any way to prepare and execute standard PG SQL statements with dollar placeholders in PsychoPG2?

No. psycopg2 is entirely built around "convert to postgres format and
add quotes". We have just released Psycopg 3 exactly to solve this
kind of problem. It also has no direct access to PQexecParams, but it
only uses PQexec so there's no easy way to plug in the $1 params.

Note that still Psycopg 3 doesn't allow you to use $1 placeholders,
but they are the ones it uses internally. There is an internal object,
PostgresQuery, that takes a %s-style query and, among other things,
converts it in $n format. It wouldn't be a difficult thing to write a
cursor to do less work and just convert the arguments.

In Psycopg 3 you can also go a level lower and call directly
PQexecParams passing the query and arguments you want, in postgres
format, but then you have to do the conversion from Python objects to
Postgres format yourself. I would rather put together a cursor to do
so, as above.

So, things can be done, but in Psycopg 3.

-- Daniele