connector-x icon indicating copy to clipboard operation
connector-x copied to clipboard

Published 20 hours ago verified publisher icon sfu-db

Support passing parameters to SQL query

Open 1Dragoon opened this issue 3 years ago • 6 comments

Is it possible to send prepared statements to MSSQL? I'm able to do this with tiberius directly, but I don't see a way to do it with connectorx. Also I don't see a way to use integrated authentication in windows environments, which can also be done with the bare tiberius crate, is that also possible? EDIT: figured out how to get integrated auth, just don't specify username/password in the url

Just using Rust BTW, not python.

1Dragoon avatar Dec 22 '21 17:12 1Dragoon

Hi @1Dragoon , thanks for brining up this issue! We don't support prepared statements for now. I think the difficulty here is that we need to require the input parameters' type implement the ToSql trait of all the databases. Since we support multiple databases here and each driver defines their own ToSql or equivalent trait. May I ask the performance difference between using prepared statement and not using it in your scenario? Also please kindly me know if you find an easy way to tackle the issue.

For windows integrated authentication, you can add the trusted_connection=true parameter in the uri like mssql://host:port/db?trusted_connection=true.

wangxiaoying avatar Dec 23 '21 04:12 wangxiaoying

Sorry for not following up for a long time, this isn't really for a performance concern so much as it is a security concern. Basically the use case here is being able to easily delineate between user defined SQL code and developer defined SQL code to i.e. mitigate SQL injection.

1Dragoon avatar Mar 18 '22 17:03 1Dragoon

Hi 👋,

Thanks @wangxiaoying for this lib, its performance really shines <3

This feature would be very useful. I guess what's needed is something similar to params of pandas.read_sql. (PEP249)

ghilesmeddour avatar Jul 13 '22 10:07 ghilesmeddour

For postgresql at least we can emulate it client side

import psycopg2
import connectorx as cx

DSN = 'postgresql://username:password@host:port/dbname'

conn = None

def read_sql(sql, params=None):
    global conn
    if params:
        if conn is None:
            conn = psycopg2.connect(DSN)
        sql = conn.cursor().mogrify(sql, params).decode('utf-8')
    return cx.read_sql(DSN, sql)

char101 avatar Aug 07 '22 09:08 char101

FYI it's now

from psycopg import connect, ClientCursor

with connect(DSN, cursor_factory=ClientCursor) as cn:
    sql = cn.cursor().mogrify(sql, params)

For psycopg3

david-waterworth avatar Mar 07 '23 00:03 david-waterworth

Any update on this issue? I'm experimenting with connectorx and need to pass some params without injections. Is there any other ways we can use?

yasaslive avatar Apr 17 '23 18:04 yasaslive