我正在尝试用PG8000创建一个新用户。这段代码有效,但它将密码放在服务器日志中,这是不可取的(我不关心这个用例的SQL注入):
with pg8000.dbapi.connect(**CONNECTION_INFO) as conn:
csr = conn.cursor()
csr.execute("create user example password 'password-123'")
conn.commit()
然后,我可以通过使用绑定参数的查询来选择有关该用户的信息:
with pg8000.dbapi.connect(**CONNECTION_INFO) as conn:
csr = conn.cursor()
csr.execute("select * from pg_user where usename = %s", ("example",))
result = csr.fetchall()
但是,如果我尝试使用绑定参数创建用户:
with pg8000.dbapi.connect(**CONNECTION_INFO) as conn:
csr = conn.cursor()
csr.execute("create user example password %s", ("password-123",))
conn.commit()
请求失败,出现以下客户端错误:
DatabaseError: {'S': 'ERROR', 'V': 'ERROR', 'C': '42601', 'M': 'syntax error at or near "$1"', 'P': '30', 'F': 'scan.l', 'L': '1145', 'R': 'scanner_yyerror'}
这个服务器端错误:
2022-08-26 12:30:02.029 UTC [205] LOG: statement: begin transaction
2022-08-26 12:30:02.029 UTC [205] ERROR: syntax error at or near "$1" at character 30
2022-08-26 12:30:02.029 UTC [205] STATEMENT: create user example password $1
如果我使用PG8000“本机”接口,也会发生同样的情况。
如果我切换到psycopg2,我可以执行用参数编写的create命令,但服务器日志表明客户端进行了参数替换,并发送了一条文字SQL语句:
2022-08-26 12:30:55.317 UTC [206] LOG: statement: BEGIN
2022-08-26 12:30:55.317 UTC [206] LOG: statement: create user example2 password 'password-123'
2022-08-26 12:30:55.317 UTC [206] LOG: statement: COMMIT
