How to improve the Postgre SQL without SQL injection (LIKE %)

Question

How to improve PostgreSQL without SQL injection (LIKE %)

cur.execute("SELECT officialid from OFFICIAL WHERE username LIKE '%" + searchString + "%'")

sql = "UPDATE EVENT SET eventname = '%s', sportid = %d, referee = %d, judge = %d, medalgiver = %d " \
       "WHERE eventid = %s" % (event_name, s[0][0], r[0][0], j[0][0], m[0][0], event_id)
cur.execute(sql)

This [post](https://stackoverflow.com/questions/902408/how-to-use-variables-in-sql-statement-in-python) may help you. — Ptit Xav, Nov 12 '21 at 12:48

score 0 · Answer 1 · answered Nov 12 '21 at 13:31

Just pass a tuple of arguments to execute() function as a second argument and use %s placeholder(s) in query string. Something like this:

sql = "UPDATE EVENT SET eventname = %s, sportid = %s, referee = %s, judge = %s, medalgiver = %s " \
       "WHERE eventid = %s"
cur.execute(sql, (event_name, s[0][0], r[0][0], j[0][0], m[0][0], event_id))

How to improve the Postgre SQL without SQL injection (LIKE %)

1 Answers1