[sqlalchemy] Is Session.execute SQL injection safe?
Can't find anything in the docs as to whether query strings passed into Session.execute are escaped/safe from SQL injection. Any insights? Thanks. -- You received this message because you are subscribed to the Google Groups sqlalchemy group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
Re: [sqlalchemy] Is Session.execute SQL injection safe?
On Feb 28, 2011, at 5:35 PM, Ryan wrote: Can't find anything in the docs as to whether query strings passed into Session.execute are escaped/safe from SQL injection. Any insights? Thanks. A literal query string is only safe against injection if you ensure that the string contains no portions of user-entered text inside of it.Bind parameters should always be used for literal values. Docs on the text() construct which Session.execute() uses, and the accepted bind parameter format, are here: http://www.sqlalchemy.org/docs/core/expression_api.html#sqlalchemy.sql.expression.text -- You received this message because you are subscribed to the Google Groups sqlalchemy group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en. -- You received this message because you are subscribed to the Google Groups sqlalchemy group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
Re: [sqlalchemy] Is Session.execute SQL injection safe?
Great. Thank you. On Mon, Feb 28, 2011 at 9:37 PM, Michael Bayer mike...@zzzcomputing.comwrote: On Feb 28, 2011, at 5:35 PM, Ryan wrote: Can't find anything in the docs as to whether query strings passed into Session.execute are escaped/safe from SQL injection. Any insights? Thanks. A literal query string is only safe against injection if you ensure that the string contains no portions of user-entered text inside of it.Bind parameters should always be used for literal values. Docs on the text() construct which Session.execute() uses, and the accepted bind parameter format, are here: http://www.sqlalchemy.org/docs/core/expression_api.html#sqlalchemy.sql.expression.text -- You received this message because you are subscribed to the Google Groups sqlalchemy group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en. -- You received this message because you are subscribed to the Google Groups sqlalchemy group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en. -- You received this message because you are subscribed to the Google Groups sqlalchemy group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
