False Positives in SQL inspection

Answered

Permanently deleted user

Created May 22, 2019 14:17

There are times when the code requires dynamic construction of SQL and other times when a text string that has nothing to do with SQL is parsed as SQL with errors. How can I help PyCharm to understand when a string is just a string and not SQL?

For example:

    # PREVIOUS CODE MAY OR MAY NOT HAVE CONSTRUCTED A PARTIAL SQL STATEMENT
    if sql:
        sql += ','
    else:
        # IF NO SQL WAS GENERATED, START A SQL STATEMENT HERE
        sql = """
        INSERT INTO path.paths
            (left_delineator_id, right_delineator_id, envelope)
        VALUES """  # HERE IS WHERE THE ERROR APPEARS: '(' expected, got 'missing_value'

    sql += "(%s, %s, ST_GeomFromText('%s', 4326))" % (int(delineator_pair[1]), int(delineator_pair[0]), polygon)

sql += ' RETURNING id;'
with self.get_transaction() as cursor:
    cursor.execute(sql)

1 comment

Pavel Karateev

Created May 25, 2019 13:24

Hi, append

# language=TEXT

before the string literal, e.g.

# language=TEXT
sql = """
INSERT INTO path.paths

this should disable SQL injection.

Please sign in to leave a comment.