On Feb 28, 2011, at 5:35 PM, Ryan wrote: > Can't find anything in the docs as to whether query strings passed into > Session.execute are escaped/safe from SQL injection. Any insights? Thanks.
A literal query string is only safe against injection if you ensure that the string contains no portions of user-entered text inside of it. Bind parameters should always be used for literal values. Docs on the text() construct which Session.execute() uses, and the accepted bind parameter format, are here: http://www.sqlalchemy.org/docs/core/expression_api.html#sqlalchemy.sql.expression.text > > -- > You received this message because you are subscribed to the Google Groups > "sqlalchemy" group. > To post to this group, send email to sqlalchemy@googlegroups.com. > To unsubscribe from this group, send email to > sqlalchemy+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/sqlalchemy?hl=en. -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
