Hello,
I'm concerned about whether the usual parameter escaping mechanism is enough in
a LIKE or regular expression search.
I run a recent Postgres version and use the Python connector psycopg2 for a web
application. I understand that if I always escape as in
dBres=dBcsr.execute('SELECT docText FROM documents WHERE
name=%(storyName)s',{'storyName':storyName})
then I am doing the right thing. Suppose now that I want to search the text of
those documents? I have been unable to find if I need to anything more for a
LIKE or regex search, and also unable to find any assurance that it is enough.
(No doubt I've not looked in the right place; sorry.)
I plan to add full text searching also; is the escaping mechanism enough there?
Thank you for your help,
Jim
---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend
