Hello sqlalchemy,
I need to execute a select-statement on a table, which uses a custom
stored procedure inside the "WHERE" clause. That's why I need to use a
"text()" ClauseElement. But, inside my query I also want to specify
parameters. So far, I have it running using simple "%" python-style
string-formatting. However, this subjects my query to possible SQL-
Injection attacks. So I would prefer to do it The Right Way and use
bound query parameters. But I fail miserably when doing this. Here are
my attempts:
First attempt:
q = text(":r >= lldistance( Point(:x, :y), test_field )",
bindparams=[
bindparam('r', type=types.FloatType),
bindparam('x', type=types.FloatType),
bindparam('y', type=types.FloatType),
])
Info.select( q, r=1000, x=40, y=6) )
Second attempt:
q = text(":r >= lldistance( Point(:x, :y), test_field )",
bindparams=[
bindparam('r', type=types.FloatType),
bindparam('x', type=types.FloatType),
bindparam('y', type=types.FloatType),
])
q_compiled = q.compile(parameters={'r':1000, 'x': 40, 'y':6},
bind=turbogears.database.get_engine())
Info.select( q_compiled )
... and so on. These are the two most likely correct(?) attempts.
Otheres involved a lot of fiddling around ;)
None of these worked.
I also know I could use the info_table object (the Table object
assigned to "Info"), But then I would receive simple table rows as
result-set. But the mapped "Info" object contains other useful methods
I would need. So I would much rather execute a select statement on the
mapped "Info" object.
Any pointers?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to sqlalchemy@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en
-~----------~----~----~----~------~----~------~--~---
