Separate SQL query parameters from SQL code
das-g opened this issue · 0 comments
das-g commented
to avoid (malicous or accidental) SQL injections.
Where psycopg is used directly, this can be done as described on http://initd.org/psycopg/docs/sql.html
(Dunno whether that is psycopg's way to do prepared statements, which would be optimal. In 2013 it wasn't.)