Documentation of query format using variables

[Rbain2]

Hi

I spent a long time trying to find a format of query with variable inputs. I eventually found the following which allows parameters in the select statement.
res = influx.query("""
select * from program_event_name
where account = '%s'
and region = '%s'
order by time desc limit 1""" % (
account['name'], region))

at the web site below which includes other influxdb code examples.
https://www.programcreek.com/python/example/107755/influxdb.InfluxDBClient

. This format worked perfectly. I would like to see this or a similar example of parameterized query included in the basic documentation of the library as I believe it gives a lot of extra flexibility which is not obvious to me from the existing documentation and could save developers a lot of time

[clslgrnc]

I'd argue against including this kind of example, not only is it not a query with variables (this is string formatting, the formatted string is passed to influxdb-python without parameters) but more importantly this is a potentially dangerous pattern as remarked by #316 and #603 and as I explained here.

You should use bind parameters instead, they will be available and documented in the next release.
Or you can already use:

params = {"account": account['name'], "region": region}

query('select * from program_event_name '
      'where account = $account '
      'and region = $region '
      'order by time desc limit 1',
      params={"params":json.dumps(params)}
)

[Rbain2]

Hi Thank you for your detailed response . Your explanation in the link provided is very clear. I was not aware of the security risk you describe and am looking forward to the bind parameter release .

…

On Wed 17 Apr 2019 at 15:11, Colas Le Guernic ***@***.***> wrote: I'd argue against including this kind of example, not only is it not a query with variables (this is string formatting, the formatted string is passed to influxdb-python without parameters) but more importantly this is a potentially dangerous pattern as remarked by #316 <#316> and #603 <#603> and as I explained here <https://medium.com/sekoia-io-blog/avoiding-injections-with-influxdb-bind-parameters-50f67e379abb> . You should use bind parameters instead, they will be available and documented in the next release. Or you can already use: params = {"account": account['name'], "region": region} query('select * from program_event_name ' 'where account = $account ' 'and region = $region ' 'order by time desc limit 1', params={"params":json.dumps(params)} ) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#701 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AZHdUBVGUY-qjLIwf2cmLhzf-bRE9gztks5vhyuPgaJpZM4cppDQ> .