Felix Schwarz wrote: > Hi, > > I have a question related to sql injection when using a clause like > this: "User.c.username.like('%' + userinput + '%')" > > What restrictions do I have to put on the variable userinput? Of course, > I will ensure that is no percent character ('%') in userinput. Is that > enough (assuming that SQLAlchemy will do the rest by applying > database-specific quoting rules) or do I need to filter more characters? > Is this specific for database used?
In terms of sql injection, SQLAlchemy builds literal value comparisons as bind params, so the db-api is receiving that as a query of 'username LIKE ?' with '%expr%' provided separately as a bind value. The db-api then executes that safely in a database-dependent manner. "Pattern injection" is your responsibility though. So removing or escaping '%' and '_' from user input is in order. And probably the escape character as well... I don't believe that SA currently has direct support for specifying the escape character with LIKE 'expr' ESCAPE '\', though it probably should. Other than specifying it at the expression-level, there's no universal way I know of to deduce what the database connection's configured escape character is (if any). --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en -~----------~----~----~----~------~----~------~--~---