Hi, I have a question related to sql injection when using a clause like this: "User.c.username.like('%' + userinput + '%')"
What restrictions do I have to put on the variable userinput? Of course, I will ensure that is no percent character ('%') in userinput. Is that enough (assuming that SQLAlchemy will do the rest by applying database-specific quoting rules) or do I need to filter more characters? Is this specific for database used? Thank you very much fs --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en -~----------~----~----~----~------~----~------~--~---