Hi,
It doesn't, and that would be a reasonable addition.
I'm also thinking that startswith, endswith and contains should probably do
the escaping by default.
If you create a ticket I'll look at it sometime, although not for a couple
of weeks (I'm on holiday, woo :-)
Paul
On 9/21/07, Felix Schwarz <[EMAIL PROTECTED]> wrote:
>
>
> Hi,
>
> as several nice people from this list told me, SQLAlchemy uses bound
> parameters by default so that ordinary SQL injections are not possible
> anymore.
>
> However, I want to escape search patterns in like-queries, e.g.:
> "User.c.username.like('%' + userinput + '%')"
>
> Of course, I can write my own function to escape all pattern characters
> but as always it seems to be more secure to use existing functions.
> After looking at the documentation for SQLAlchemy 0.3.10, I did not find
> an escape function.
>
> So just a quick question: Does SQLAlchemy come with a function to escape
> patterns?
>
> thank you very much
> fs
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to sqlalchemy@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en
-~----------~----~----~----~------~----~------~--~---
