Avoiding Python boto SelectExpression for Amazon SimpleDB

Question

Avoiding Python boto SelectExpression for Amazon SimpleDB

My code is currently

client = boto3.client('sdb')
query = 'SELECT * FROM `%s` WHERE "%s" = "%s"' % (domain, key, value)
response = client.select(SelectExpression = query)

Variable keyand valueis introduced by the user, what is the best way to avoid them in my previous code?

Edit: I am worried about how to avoid fields like we did in the past to prevent SQL injection, but now in SimpleDB

+4

python python-2.7 amazon-simpledb boto3 boto

Ryan Nov 23 '16 at 18:16

source share

2 answers

user312016 · Answer 1 · 2016-12-04T11:52:43+0000

Subsets and destructive operations cannot be performed using simpleedb.

Amazon provides citation rules: http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/QuotingRulesSelect.html

python, :

def quote(string):
    return string.replace("'", "''").replace('"', '""').replace('`', '``')

client = boto3.client('sdb')
query = 'SELECT * FROM `%s` WHERE "%s" = "%s"' % (quote(domain), quote(key), quote(value))
response = client.select(SelectExpression = query)

I Am Batman · Answer 2 · 2016-11-30T12:59:49+0000

sideffect SQL-, /, SimpleDB , ( ) aws docs

. , copy pasting ,

Avoiding Python boto SelectExpression for Amazon SimpleDB

More articles: