I noticed that some classes are using string formatting instead of parameterized queries, presumably to support the "IN" operator: https://github.com/mozilla/socorro/blob/master/socorro/external/postgresql/bugs.py#L38 However according to the docs (e.g. http://initd.org/psycopg/docs/usage.html) and a little test I just ran this should work: params = ((1,2),) stmt = "SELECT * FROM test WHERE col1 IN %s" print cur.mogrify(stmt,params) Output is: SELECT * FROM test WHERE col1 IN (1, 2) Alternatively you could do: params = [1,2] And psycopg2 will output: SELECT * FROM test WHERE col1 IN ARRAY[1, 2] Is there a reason not to do it this way? I am a lot more comfortable with Postgres doing the paramerization and not doing it with Python strings ;)
See comment 0
So there's no security issue with that example because what it does is simply building a list of parameters (like "signature%1, signature%2") that psycopg will then securely replace with actual values. However, the code that you are showing looks much better than the current code.
Yes. I agree. We should always use psycopg's serializer. I think the trick is that it needs to be a tuple. I think the code in bugs.py should be refactored. There's no need to make it things like `signature%1`, right?
Commit pushed to master at https://github.com/mozilla/socorro https://github.com/mozilla/socorro/commit/e2639de48a502868f597d27547e0e40995ac5782 fixes bug 950385 - use psycopg's IN operator serializer, r=adrian
Bumping to verified as [qa-]