OK. I think I know what to do now. I opened a ticket and will review this asap. Thanks Mariano.
On Thursday, 2 May 2013 10:35:58 UTC-5, Mariano Reingart wrote: > > There is new activity in the "original" pg8000 repo, but AFAIK some of > my changes where not merged, and others where not addressd, but you > could try that: > > https://github.com/mfenniak/pg8000 > > About escaping, the difference with psycopg2 is that pg8000 uses the > more advanced query protocol (Prepared Statement) that don't requires > escaping and inlining the parameters in the SQL query (so, in theory, > it is even safer than psycopg2. and more straightforward as it allows > binary parameters directly). > Another advantages of de prepared statement protocol is that it could > be parsed/analyzed once, and executed many times, that should be > faster in some circumstances. > > IIRC, psycopg2 uses the simple query protocol, with inlined parameters > directly in the SQL. > It has a mogrify function that escapes the parameters, that should be > migrated to pg8000 to avoid this kind of issues, or better, just use > the DBAPI call with parameters, so no scaping will be required (IIRC, > this is not supported by web2py right now). > Sadly, many connectors have different implentation of the DBAPI, so it > would not be trivial to adapt, see for example: > http://www.python.org/dev/peps/pep-0249/#paramstyle > > Also, psycopg2 uses libpq (the postgresql client C library), so it > will be a lot faster (but a bit harder to install in some scenarios). > Its depends highly on which kind of application you're writting (for > simple apps, there wouldn't be a significative difference). > > BTW, if you have a test case with web2py, I could help to fix the > issues with pg8000. > > Best regards, > > Mariano Reingart > http://www.sistemasagiles.com.ar > http://reingart.blogspot.com > > > On Thu, May 2, 2013 at 10:13 AM, Massimo Di Pierro > <massimo....@gmail.com <javascript:>> wrote: > > I do not remember what the bugs were but they were related to escaping > and > > this poses a security issue. It has not been fixed to my knowledge. > > > > > > On Thursday, 2 May 2013 03:02:26 UTC-5, Marin Pranjić wrote: > >> > >> I remember pg8000 having some bugs and I'm not sure if they are fixed. > >> > >> psycopg2 should be better choice > >> > >> Marin > >> > >> > >> On Thu, May 2, 2013 at 1:59 AM, Marco Túlio Cícero de M. Porto > >> <mtcp...@gmail.com> wrote: > >>> > >>> Are there any advantages on one or another or are they basically the > same > >>> thing? > >>> I'm using psycopg2 atm. > >>> > >>> -- > >>> []'s > >>> Marco Tulio > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups > >>> "web2py-users" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an > >>> email to web2py+un...@googlegroups.com. > >>> > >>> For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> > >> > >> > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "web2py-users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to web2py+un...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
