Think about it this way: There's two kinds of strings when you're dealing with SQL: 1) SQL language, 2) your data input. Don't ever include (2) in (1) –– let the API do it.
\malthe On 4 July 2011 21:41, Krishnakant Mane <krm...@gmail.com> wrote: > Hello all. > I use Pylons 0.9.7 and sqlalchemy. > I use the Object Relational Mapper with declarative syntax in a few of my > modules. > I was reading chapter 7 of the Pylons book and I understood that sql > injections can be avoided using the expression api. > But can this be also done using ORM? > I tryed on my software and sql injections do work. > Is it possible to avoide it with ORM or will i have to totally avoide using > an ORM layer of sqlalchemy and only use the expression api? > Happy hacking. > Krishnakant. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to pylons-disc...@googlegroups.com. > To unsubscribe from this group, send email to > pylons-discuss+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to sqlalchemy@googlegroups.com. To unsubscribe from this group, send email to sqlalchemy+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
