log_queries seems to log unsanitized queries?

[pavdwest]

Starting up the engine with log_queries=True:

engine = PostgresEngine(
            config=bind.piccolo_config,
            log_queries=True,
            log_responses=True,
 )

Running a query with unsanitized input:

unsanitized_input = "%';drop table product;select '"
res = await Product.select().where(Product.title.ilike(unsanitized_input)).first().run()

Logs query as:

SELECT ALL "product"."id" AS "id",
    "product"."created_at" AS "created_at",
    "product"."updated_at" AS "updated_at",
    "product"."is_active" AS "is_active",
    "product"."title" AS "title",
    "product"."description" AS "description",
    "product"."price" AS "price"
FROM "product"
WHERE "product"."title" ILIKE '%';
drop table product;
select ''
LIMIT 1

The good news is that the SQL injection doesn't succeed, it's merely the log that doesn't show the sanitized query.

[dantownsend]

Yeah, we parameterise all of the queries which get sent to the database, but the logs are just a string representation of the query.

I guess there is some risk that someone would copy the logged query and manually run it.

What kind of output would you prefer to see in the logs?

[pavdwest]

It's not a showstopper or anything, might just be nice to see the log output be as close as possible to what's actually running on the db. If there's no simple way to do this I wouldn't waste time on it.