Hi,
>I have a question related to sql injection when using a clause like
>this: "User.c.username.like('%' + userinput + '%')"
>
>
SQLAlchemy uses a bind parameter for the value, so there's no chance of
full-blown SQL injection. There is, as you've identified, a risk of
"like pattern injection". That's probably not a security issue, but it
could be a usability issue. To protect, you need to escape any character
with special meaning in the like clause. That is % and _ and any
database-specific extension (I think some dbs allow character sets with []).
Paul
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to sqlalchemy@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en
-~----------~----~----~----~------~----~------~--~---
