Hi,
It doesn't, and that would be a reasonable addition.
I'm also thinking that startswith, endswith and contains should probably do
the escaping by default.
If you create a ticket I'll look at it sometime, although not for a couple
of weeks (I'm on holiday, woo :-)
Paul
On 9/21/07, Felix Schwarz [EMAIL PROTECTED] wrote:
Hi,
as several nice people from this list told me, SQLAlchemy uses bound
parameters by default so that ordinary SQL injections are not possible
anymore.
However, I want to escape search patterns in like-queries, e.g.:
User.c.username.like('%' + userinput + '%')
Of course, I can write my own function to escape all pattern characters
but as always it seems to be more secure to use existing functions.
After looking at the documentation for SQLAlchemy 0.3.10, I did not find
an escape function.
So just a quick question: Does SQLAlchemy come with a function to escape
patterns?
thank you very much
fs
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
sqlalchemy group.
To post to this group, send email to sqlalchemy@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en
-~--~~~~--~~--~--~---