Hi, It doesn't, and that would be a reasonable addition.
I'm also thinking that startswith, endswith and contains should probably do the escaping by default. If you create a ticket I'll look at it sometime, although not for a couple of weeks (I'm on holiday, woo :-) Paul On 9/21/07, Felix Schwarz <[EMAIL PROTECTED]> wrote: > > > Hi, > > as several nice people from this list told me, SQLAlchemy uses bound > parameters by default so that ordinary SQL injections are not possible > anymore. > > However, I want to escape search patterns in like-queries, e.g.: > "User.c.username.like('%' + userinput + '%')" > > Of course, I can write my own function to escape all pattern characters > but as always it seems to be more secure to use existing functions. > After looking at the documentation for SQLAlchemy 0.3.10, I did not find > an escape function. > > So just a quick question: Does SQLAlchemy come with a function to escape > patterns? > > thank you very much > fs > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en -~----------~----~----~----~------~----~------~--~---