Prevent SQL Injection with Python's Psycopg2 Prepared Statements

import psycopg2
from psycopg2 import sql

def execute_secure_query(username_input):
    conn = None
    try:
        # Replace with your actual database connection details
        conn = psycopg2.connect(
            dbname="your_db_name",
            user="your_db_user",
            password="your_db_password",
            host="localhost"
        )
        cur = conn.cursor()

        # --- SECURE WAY: Using parameterized queries ---
        # The 'WHERE username = %s' is a placeholder. Psycopg2 handles escaping the value.
        query = sql.SQL("SELECT id, email FROM users WHERE username = %s")
        cur.execute(query, (username_input,)) # Pass parameters as a tuple/list

        user_data = cur.fetchone()
        if user_data:
            print(f"Found user: ID={user_data[0]}, Email={user_data[1]}")
        else:
            print(f"User '{username_input}' not found.")

        # --- INSECURE WAY (for comparison, DO NOT USE IN PRODUCTION) ---
        # This is vulnerable to SQL injection if username_input contains malicious code.
        # insecure_query = f"SELECT id, email FROM users WHERE username = '{username_input}'"
        # cur.execute(insecure_query)

    except psycopg2.Error as e:
        print(f"Database error: {e}")
    finally:
        if conn:
            conn.close()

# Example usage
print("--- Secure query with valid input ---")
execute_secure_query("john_doe")

print("
--- Secure query with potentially malicious input ---")
# This input would be catastrophic with string concatenation
execute_secure_query("admin' OR '1'='1")

print("
--- Secure query with SQL comment injection attempt ---")
execute_secure_query("test_user'; DROP TABLE users; --")