Re: [sqlalchemy] SqlAlchemy vulnerabilities CVE-2019-7164

2019-09-13 Thread 'ANAND NARAYAN' via sqlalchemy
Mike thanks for sharing the information. Best Regards, Anand On Friday, September 13, 2019 at 8:01:22 PM UTC+5:30, Mike Bayer wrote: > > yes. per the headline linked in that article: "SQLAlchemy through 1.2.17 > and 1.3.x **through 1.3.0b2** allows SQL Injection via the order_by > parameter."

Re: [sqlalchemy] SqlAlchemy vulnerabilities CVE-2019-7164

2019-09-13 Thread 'ANAND NARAYAN' via sqlalchemy
Brian thanks for sharing the information. Best Regards, Anand On Friday, September 13, 2019 at 8:01:22 PM UTC+5:30, Mike Bayer wrote: > > yes. per the headline linked in that article: "SQLAlchemy through 1.2.17 > and 1.3.x **through 1.3.0b2** allows SQL Injection via the order_by >

Re: [sqlalchemy] Column name collision with method name

2019-09-13 Thread Gary L
This worked great, thank you for the help! On Friday, September 13, 2019 at 11:16:06 AM UTC-4, Mike Bayer wrote: > > > > On Fri, Sep 13, 2019, at 10:46 AM, Gary L wrote: > > I have a declarative model as below > > > class User(Base): > __tablename__ = 'users' > __table_args__ = { >

Re: [sqlalchemy] Column name collision with method name

2019-09-13 Thread Simon King
ORM properties can be named differently to the underlying columns: https://docs.sqlalchemy.org/en/13/orm/mapping_columns.html#naming-columns-distinctly-from-attribute-names You could also create a TypeDecorator which converts to and from the pandas datatypes as the values are retrieved from and

Re: [sqlalchemy] Column name collision with method name

2019-09-13 Thread Mike Bayer
On Fri, Sep 13, 2019, at 10:46 AM, Gary L wrote: > I have a declarative model as below > > > class User(Base): > __tablename__ = 'users' > __table_args__ = { > 'schema':'internal', > 'extend_existing': True, > 'mustexist': True > } > > > The table has a column named

[sqlalchemy] Column name collision with method name

2019-09-13 Thread Gary L
I have a declarative model as below class User(Base): __tablename__ = 'users' __table_args__ = { 'schema':'internal', 'extend_existing': True, 'mustexist': True } The table has a column named 'registration_date'. Since I am working with pandas I'd like

Re: [sqlalchemy] SqlAlchemy vulnerabilities CVE-2019-7164

2019-09-13 Thread Mike Bayer
yes. per the headline linked in that article: "SQLAlchemy through 1.2.17 and 1.3.x **through 1.3.0b2** allows SQL Injection via the order_by parameter." Version 1.3.8 is much newer than version 1.3.0b2. The changelog for the issue is noted in 1.3.0b3 at

[sqlalchemy] SqlAlchemy vulnerabilities CVE-2019-7164

2019-09-13 Thread 'ANAND NARAYAN' via sqlalchemy
Hi, Is the security vulneratbility listed in National Vulnerability Database ( https://nvd.nist.gov/vuln/detail/CVE-2019-7164 ) fixed in latest version v1.3.8 ? Thanks Regards Anand -- SQLAlchemy - The Python SQL