SQL Injection

SQL Injection is important topic when dealing when database interactions. The best practices involve passing parameters into the query as such.

sql = "SELECT * FROM table WHERE id=(%s);"
data = (1, )
cur.execute(sql, data)

Using string concatenation and interpolation is usually a no no when dealing with DB adapters such as psycopg2. The problem though for locopy comes from query parameter passing for the non select type statements (COPY, UNLOAD, etc.). These do not play nice with parameter passing.

The execute method of the Database class uses parameters, but the COPY/UNLOAD commands unfortunately cannot, so please keep these in mind when building out your application. It is important to call this out so people are aware of this limitation, and realize using locopy for a client facing application (think website with input field) might not be the best idea. Most people will be using locopy for ETL processing internally where the input usage is internal vs external, and known to be safer.