Taragolis commented on issue #34252: URL: https://github.com/apache/airflow/issues/34252#issuecomment-1712806399
Just interesting how much of them actually could classified as SQL Injection? I mean have public API to call it without change in code. For example in Postgres I could find only part which can not be provided by Server-side binding due to limitation postgres or DBAPI v2 (and sometimes both), e.g. you could bind only in the limited places but when it comes up to dynamic queries you can't use Server-side binding just because it is how postgres works in limited place. But all of this places required to provide this values as part of different operators arguments. With Postgres it is nice sample when we could do something: [psycopg2.sql](https://www.psycopg.org/docs/sql.html#module-psycopg2.sql), [server-side binging in psycopg (formally v3)](https://www.psycopg.org/psycopg3/docs/basic/from_pg2.html#server-side-binding), however when it comes to other it might be hardly-possible to do it, personal worse sample is MySQL because we use simultaneously 3 different libraries [mysql-connector-python](https://pypi.org/project/mysql-connector-python/), [mysqlclient](https://pypi.org/project/mysqlclient/), [PyMySQL](https://pypi.org/project/pymysql/) and none of them provide such interface -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
