This repository was archived by the owner on Oct 29, 2024. It is now read-only.
Documentation of query format using variables #701
Comments
|
I'd argue against including this kind of example, not only is it not a query with variables (this is string formatting, the formatted string is passed to influxdb-python without parameters) but more importantly this is a potentially dangerous pattern as remarked by #316 and #603 and as I explained here. You should use bind parameters instead, they will be available and documented in the next release. params = {"account": account['name'], "region": region}
query('select * from program_event_name '
'where account = $account '
'and region = $region '
'order by time desc limit 1',
params={"params":json.dumps(params)}
) |
|
Hi Thank you for your detailed response . Your explanation in the link
provided is very clear. I was not aware of the security risk you describe
and am looking forward to the bind parameter release .
…On Wed 17 Apr 2019 at 15:11, Colas Le Guernic ***@***.***> wrote:
I'd argue against including this kind of example, not only is it not a
query with variables (this is string formatting, the formatted string is
passed to influxdb-python without parameters) but more importantly this is
a potentially dangerous pattern as remarked by #316
<#316> and #603
<#603> and as I
explained here
<https://medium.com/sekoia-io-blog/avoiding-injections-with-influxdb-bind-parameters-50f67e379abb>
.
You should use bind parameters instead, they will be available and
documented in the next release.
Or you can already use:
params = {"account": account['name'], "region": region}
query('select * from program_event_name '
'where account = $account '
'and region = $region '
'order by time desc limit 1',
params={"params":json.dumps(params)}
)
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#701 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AZHdUBVGUY-qjLIwf2cmLhzf-bRE9gztks5vhyuPgaJpZM4cppDQ>
.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi
I spent a long time trying to find a format of query with variable inputs. I eventually found the following which allows parameters in the select statement.
res = influx.query("""
select * from program_event_name
where account = '%s'
and region = '%s'
order by time desc limit 1""" % (
account['name'], region))
at the web site below which includes other influxdb code examples.
https://www.programcreek.com/python/example/107755/influxdb.InfluxDBClient
. This format worked perfectly. I would like to see this or a similar example of parameterized query included in the basic documentation of the library as I believe it gives a lot of extra flexibility which is not obvious to me from the existing documentation and could save developers a lot of time
The text was updated successfully, but these errors were encountered: