sdk/python/Databases/PyPsycopg2

PyPsycopg2

psycopg2 is the canonical PostgreSQL driver for Python. Cursor.execute() and executemany() are SQL injection sinks when the query is built by string concatenation or f-strings. Use %s placeholders for safe binding.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.execute()Executes a query

.executemany()Executes a query for each element in vars_list

Sinks

— dangerous functions taint must not reach

.execute()Sink

Signature

cursor.execute(query: str, vars: Sequence | Mapping = None) -> None

Executes a query. SQL injection sink when query is built from user input.

tracks:0

.executemany()Sink

Signature

cursor.executemany(query: str, vars_list: Iterable) -> None

Executes a query for each element in vars_list. Same injection risk.

tracks:0

Other Methods

.connect()Neutral

Signature

psycopg2.connect(dsn=None, ...) -> Connection

Opens a PostgreSQL connection.

.mogrify()Neutral

Signature

cursor.mogrify(query: str, vars=None) -> bytes

Returns the query after parameter substitution. Does not execute, but the resulting bytes can flow to a later execute().

Fully-Qualified Names

FQN	Field
psycopg2	fqns[0]
psycopg2.extensions.cursor	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyPsycopg2

← PreviousPyPony

Next →PyPyMongo