> On Mar 8, 2019, at 9:06 PM, Mike Bayer wrote:
>
> Datatypes like Integer() when rendering the literal value pass the
> incoming input directly to str() which goes straight to the database...
Thank you so much for the explanation! This is very helpful.
--
SQLAlchemy -
The Python SQL
> On Mar 8, 2019, at 11:57 AM, Mike Bayer wrote:
>
> this use is insecure and is not supported. SQLAlchemy's bound
> parameter rendering is only intended for debugging and for special DDL
> scenarios and should not be used for ordinary SQL statements passed to
> a database.
Would you
> On Mar 8, 2019, at 5:25 AM, Mike Bayer wrote:
>>
> SQL injection has to do with strings that are sent to the database
> engine. from what you said above, it seems like you are generating
> strings just to display them on a webpage?
No, I’m not displaying SQL strings on a webpage. I’m
> On Mar 7, 2019, at 8:08 PM, Seth P wrote:
>
> Someone wrote a server that blindly executes SQL strings? Oy. Google around
> for why that is a terrible idea.
Oh, I am very familiar with why it’s a terrible idea. Unfortunately, I’m a user
of this service and don’t have much of a choice in