<div dir="ltr"><div dir="ltr"><div>Hi,</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Le ven. 19 juin 2026 à 09:49, Johannes Kröger (WhereGroup) via QGIS-Developer <<a href="mailto:qgis-developer@lists.osgeo.org">qgis-developer@lists.osgeo.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">In the meantime I can recommend psycopg's </blockquote><div><br></div><div>Personally, I would not use Psycopg, as it will bypass QGIS settings, and mainly queries will not be shown in QGIS logs and/or in the PostgreSQL log panel, which is IMHO quite nice. Like in the webbrowser, in the dev tools, we can see "all" requests, loading scripts etc.</div><div><br></div><div>Even if the plugin is doing some work under the hood, it's important to see outgoing requests made when loading QGIS, loading a project, panning on the map etc ...</div><div><br></div><div>As Julien said, It seems that just a call to "format" with a Python dictionary might be enough for now : </div><div><pre class="gmail-notranslate"><span class="gmail-pl-s1">sql</span> <span class="gmail-pl-c1">=</span> <span class="gmail-pl-s">"SELECT * FROM {schema}.foo"</span>
<span class="gmail-pl-s1">params</span> <span class="gmail-pl-c1">=</span> {
<span class="gmail-pl-s">"schema"</span>: <span class="gmail-pl-s">"test"</span>,
}
<span class="gmail-pl-s1">sql</span> <span class="gmail-pl-c1">=</span> <span class="gmail-pl-s1">sql</span>.<span class="gmail-pl-c1">format</span>(<span class="gmail-pl-c1">**</span><span class="gmail-pl-s1">params</span>)</pre>This snippet looks fine for Bandit.</div><div> </div><div>I also agree with Julien with the usage of "nosec". It depends on the final purpose of these checks, but if the idea is to "control" a little bit what the plugin can do, indeed, to disable "nosec" etc should be the way to go, otherwise developers won't care anymore about these checks.</div><div><br></div><div>Regards</div></div></div>