Hi, >I have a question related to sql injection when using a clause like >this: "User.c.username.like('%' + userinput + '%')" > > SQLAlchemy uses a bind parameter for the value, so there's no chance of full-blown SQL injection. There is, as you've identified, a risk of "like pattern injection". That's probably not a security issue, but it could be a usability issue. To protect, you need to escape any character with special meaning in the like clause. That is % and _ and any database-specific extension (I think some dbs allow character sets with []).
Paul --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en -~----------~----~----~----~------~----~------~--~---