Great. Thank you.
On Mon, Feb 28, 2011 at 9:37 PM, Michael Bayer <mike...@zzzcomputing.com>wrote: > > On Feb 28, 2011, at 5:35 PM, Ryan wrote: > > > Can't find anything in the docs as to whether query strings passed into > Session.execute are escaped/safe from SQL injection. Any insights? Thanks. > > A literal query string is only safe against injection if you ensure that > the string contains no portions of user-entered text inside of it. Bind > parameters should always be used for literal values. Docs on the text() > construct which Session.execute() uses, and the accepted bind parameter > format, are here: > http://www.sqlalchemy.org/docs/core/expression_api.html#sqlalchemy.sql.expression.text > > > > > > -- > > You received this message because you are subscribed to the Google Groups > "sqlalchemy" group. > > To post to this group, send email to sqlalchemy@googlegroups.com. > > To unsubscribe from this group, send email to > sqlalchemy+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/sqlalchemy?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "sqlalchemy" group. > To post to this group, send email to sqlalchemy@googlegroups.com. > To unsubscribe from this group, send email to > sqlalchemy+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/sqlalchemy?hl=en. > > -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
