Skip to content

Add notify method #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
leodaher wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add notify method #2

leodaher wants to merge 3 commits into from

Conversation

@leodaher
Copy link

@leodaher leodaher commented Aug 26, 2019

This patch adds a method for sending a PostgreSQL notify with a payload
to a specific channel.

@leodaher leodaher force-pushed the add-notify branch 2 times, most recently from ebd9f0c to 35246b3 Compare August 30, 2019 16:21
madsmtm
madsmtm reviewed Sep 5, 2019
View reviewed changes
pgnotify/__init__.py Outdated
"""
connection = get_dbapi_connection(connection)
cursor = connection.cursor()
cursor.execute("NOTIFY %s, '%s';" % (channel, payload))
Copy link

@madsmtm madsmtm Sep 5, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is vulnerable to SQL-injection (correct me if I'm wrong 😉). Is there a way to fix this? If not, it should be explicitly stated in the documentation that untrusted payloads / channels aren't supported.

Copy link

@matthewwo matthewwo Sep 6, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I know Psycopg2’s execute method will sanitizes the arguments if passed as a tuple to the method.

For example

conn.execute(“NOTIFY %s, %s”, (channel, payload))

I’m not sure about sqlalchemy though :)

Look forward to this PR be merged! Looks neat and the library can be more complete with this change.

Copy link

@matthewwo matthewwo Sep 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also it seems to be better to use the pg_notify function in Postgres for sending notifications to non-constant channel names and payloads?

Refer to the Notes section in the doc: https://www.postgresql.org/docs/9.0/sql-notify.html

@djrobstep
Copy link
Owner

djrobstep commented Sep 9, 2019

Thank you kindly for this PR! Definitely a much-needed addition to this library.

Some things will need changing before we merge:

  • The current implementation is vulnerable to SQL injection (as mentioned by @madsmtm)
  • The cursor needs proper cleanup (probably with a with as per http://initd.org/psycopg/docs/usage.html)
  • As the docs and @prankymat mention, the pg_notify( function is probably nicer than the keyword style so let's change to that.
  • I'd rather the tests did a real test with a temporary database rather than mocking (this isn't essential, so we can probably change this in the future/a separate PR/whatever).

@leodaher
Add notify method
cb7d780 
This patch adds a method for sending a PostgreSQL notify with a payload
to a specific channel.
@leodaher
Format code
e983ebc
@leodaher
Add support for installing via pip directly from github
bc7c6be
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@matthewwo matthewwo matthewwo left review comments

@madsmtm madsmtm madsmtm left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@leodaher @djrobstep @matthewwo @madsmtm