Hello,
I'm concerned about whether the usual parameter escaping mechanism is enough in a LIKE or regular expression search.
I run a recent Postgres version and use the Python connector psycopg2 for a web application. I understand that if I always escape as in
dBres=dBcsr.execute('SELECT docText FROM documents WHERE name=%(storyName)s',{'storyName':storyName})
then I am doing the right thing. Suppose now that I want to search the text of those documents? I have been unable to find if I need to anything more for a LIKE or regex search, and also unable to find any assurance that it is enough. (No doubt I've not looked in the right place; sorry.)
I plan to add full text searching also; is the escaping mechanism enough there?
Thank you for your help,
Jim
