Re: [sqlalchemy] Re: Generating Raw SQL statements with parameters included

Tue, 11 Jan 2011 12:21:21 -0800

I'm using SA with turbogears 2.x framework and in development mode when I turn on all the logging I can see the generated SA queries in the paste web server console. And one line after the generated query, there is a line which shows the parameters. 

here is a sample output:
------------------------
22:17:53,695 INFO [sqlalchemy.engine.base.Engine.0x...cad0] SELECT adres_ilce.id AS adres_ilce_id, adres_ilce.kod AS adres_ilce_kod, adres_ilce.ad AS adres_ilce_ad, adres_ilce.adres_il_kod AS adres_ilce_adres_il_kod 
FROM adres_ilce
WHERE adres_ilce.adres_il_kod = ? ORDER BY adres_ilce.ad
22:17:53,695 INFO [sqlalchemy.engine.base.Engine.0x...cad0] SELECT adres_ilce.id AS adres_ilce_id, adres_ilce.kod AS adres_ilce_kod, adres_ilce.ad AS adres_ilce_ad, adres_ilce.adres_il_kod AS adres_ilce_adres_il_kod 
FROM adres_ilce
WHERE adres_ilce.adres_il_kod = ? ORDER BY adres_ilce.ad
22:17:53,696 INFO  [sqlalchemy.engine.base.Engine.0x...cad0] (u'15',)
22:17:53,696 INFO  [sqlalchemy.engine.base.Engine.0x...cad0] (u'15',)
22:17:53,725 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Col ('adres_ilce_id', 'adres_ilce_kod', 'adres_ilce_ad', 'adres_ilce_adres_il_kod') 22:17:53,725 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Col ('adres_ilce_id', 'adres_ilce_kod', 'adres_ilce_ad', 'adres_ilce_adres_il_kod') 22:17:53,726 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (190, 0, u'- - - - - - - - - - - - - - -', 15) 22:17:53,726 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (190, 0, u'- - - - - - - - - - - - - - -', 15) 22:17:53,726 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (193, 52, u'ALTINYAYLA(D\u0130RM\u0130L)', 15) 22:17:53,726 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (193, 52, u'ALTINYAYLA(D\u0130RM\u0130L)', 15) 22:17:53,726 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (192, 51, u'A\u011eLASUN', 15) 22:17:53,726 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (192, 51, u'A\u011eLASUN', 15) 22:17:53,727 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (194, 53, u'BUCAK', 15) 22:17:53,727 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (194, 53, u'BUCAK', 15) 22:17:53,727 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (191, 1, u'BURDUR', 15) 22:17:53,727 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (191, 1, u'BURDUR', 15) 22:17:53,727 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (197, 56, u'G\xd6LH\u0130SAR', 15) 22:17:53,727 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (197, 56, u'G\xd6LH\u0130SAR', 15) 22:17:53,728 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (198, 57, u'KARAMANLI', 15) 22:17:53,728 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (198, 57, u'KARAMANLI', 15) 22:17:53,728 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (199, 59, u'TEFENN\u0130', 15) 22:17:53,728 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (199, 59, u'TEFENN\u0130', 15) 22:17:53,728 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (200, 60, u'YE\u015e\u0130LOVA', 15) 22:17:53,728 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (200, 60, u'YE\u015e\u0130LOVA', 15) 22:17:53,729 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (195, 54, u'\xc7AVDIR', 15) 22:17:53,729 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (195, 54, u'\xc7AVDIR', 15) 22:17:53,729 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (196, 55, u'\xc7ELT\u0130K\xc7\u0130', 15) 22:17:53,729 DEBUG [sqlalchemy.engine.base.Engine.0x...cad0] Row (196, 55, u'\xc7ELT\u0130K\xc7\u0130', 15) 
-------------------------

The line just after the generated query shows the parameters:
(u'15',) is the parameter in my sample log output.
Maybe you have to turn on debug output in your application to show query result too. I've done something in tg logging config so my logs shows every sa query and results two times. 


11-01-2011 19:12, Harkirat yazmış:

Thank you! I understand the security concerns. I only need this for
testing purposes and production will be all bind-parameter driven.


On Jan 11, 11:15 am, Michael Bayer<mike...@zzzcomputing.com>  wrote:

This question comes up from time to time and I'm generally extremely 
uncomfortable documenting it, as SQLAlchemy carefully protects its reputation 
as being 100% bind-parameter driven and in no way wants to encourage the 
rendering of data directly into SQL strings.    This is the one real area of 
SQL where security is a concern.

However, I've added a wikipage for this use case which has a level of 
disclaimer I think will be OK, which you can see 
athttp://www.sqlalchemy.org/trac/wiki/UsageRecipes/BindsAsStrings.

On Jan 11, 2011, at 10:14 AM, Harkirat wrote:








Hi All,
     When I run this



delete_stmt = appname.delete(appname.c.appid==1)
print delete_stmt



I get output



DELETE FROM appname WHERE appname.appid = ?



Is there any way I can print out raw sql statments with the parameters
included  e.g.
DELETE FROM appname WHERE appname.appid = 1



Thanks!



Harkirat


--
You received this message because you are subscribed to the Google Groups 
"sqlalchemy" group.
To post to this group, send email to sqlalch...@googlegroups.com.
To unsubscribe from this group, send email to 
sqlalchemy+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/sqlalchemy?hl=en.

Reply via email to