search

coiled / dask-snowflake

Dask integration for Snowflake
BSD 3-Clause "New" or "Revised" License
29 stars 7 forks source link

Support for parameterized SQL #23

Closed mdwgrogan closed 1 year ago

mdwgrogan commented 2 years ago

https://github.com/coiled/dask-snowflake/blob/f1114e53d2d9e6b6f20e50292e7982da54a903ac/dask_snowflake/core.py#L164

The snowflake cursor supports parameters (bind variables) in execute, but the read_snowflake function doesn't currently provide a way to pass these through. Adding an optional parameter execute_params to read_snowflake would add this functionality, reducing the security risk of using f-strings or some other templating on the SQL string.

mrocklin commented 1 year ago

@mdwgrogan can you motivate this a bit? What are some example parameters that you'd like access to? In our conversation you mentioned wanting to get at extension dtypes like nullable integers.

mrocklin commented 1 year ago

Or is this different from what you were discussing in our call about passing down keyword arguments?

mdwgrogan commented 1 year ago

This issues is for parameterized sql. E.g.

curs.execute("select * from tbl where date = %(target)s", params={"target": "2022-06-31"})

You can use f-strings for this, but this approach is preferred since it sanitizes inputs.