Frappe.db.sql is this safe?

PyJumper · April 25, 2022, 5:18pm

hello, I am using the following in a custom app which receive request from api call

items = frappe.db.sql(f"""
        select i.item_name, i.item_code
        from `tabItem` i
        where i.item_code = '{value_from_query_params}'
    """, as_dict=True)

So i would like to know if the usage of python “f string” like this safe, i know that by using single quotes around fstring sql SubQueries have no effect but i am not sure

Edit:
yes it is not safe that way, so the following is safe form of using db.sql

items = frappe.db.sql(f"""
        select i.item_name, i.item_code
        from `tabItem` i
        where i.item_code = %(value_from_query_params)s
    """,  {"value_from_query_params": value_from_query_params }, as_dict=True)

rmeyer · April 26, 2022, 5:13pm

Even better: use the framework instead of raw SQL.

import frappe

item_name = frappe.db.get_value("Item", value_from_query_params, "item_name")