pyorient icon indicating copy to clipboard operation
pyorient copied to clipboard

Published 20 hours ago verified publisher icon mogui

Can I use prepared commands with pyorient?

Open hrugani opened this issue 9 years ago • 7 comments

Can I use prepared commands with pyorient?

Something like: insert into Person (name, age) values (:name, :age) or insert into Person (name, age) values (?, ?)

and then, submit the prepared command several times against database with different values for bind variables.

hrugani avatar Mar 07 '15 13:03 hrugani

Hi @hrugani ,

OrientDB has does not offer support for prepared statement on the binary protocol. PyOrient too, has no prepared statements, but this could be a good idea for an enhancement.

If you have some idea/code to submit i will happy to implement/integrate in PyOrient

Ostico avatar Mar 07 '15 15:03 Ostico

+1 for this, it would be very useful!

lucasxteixeira avatar May 18 '15 16:05 lucasxteixeira

agree, would prevent sql injections, which is a risk right now

rpietro avatar May 18 '15 16:05 rpietro

+1

davidmine avatar Jul 16 '15 22:07 davidmine

+1, Prepared statments to prevent injection would really improve things a lot.

dargolith avatar Nov 17 '15 13:11 dargolith

+1: without this, it's a huge barrier to solutions using pyorient, and possibly to OrientDB in general if it's not in the binary driver. I'd rather not rely on a WAF to detect malicious SQL when this could be done cleanly within the application. I'd be happy with a helper that sanitises a string if such a thing exists?

antonyh avatar Dec 13 '15 21:12 antonyh

This is an old issue, but it seems that OrientJS has support for parameterized queries. Given that OrientJS uses the binary protocol, I think @Ostico's assertion above may not be valid any more.

Can we work this critical feature into pyorient now please? @mogui

vipulmathur avatar Sep 06 '18 06:09 vipulmathur