On Jan 29, 2013, at 7:01 PM, Jonathan Vanasco wrote:
>
>
> On Jan 29, 2:04 pm, Michael Bayer <mike...@zzzcomputing.com> wrote:
>
>> ilike is available using column.ilike("some string"). You can turn it into
>> a "contains" by adding in the appropriate "%" signs manually. If you want
>> to do lower() manually, then you can say func.lower(column).contains('some
>> string'), though ilike() does the lower() logic when used on a backend that
>> doesn't have ILIKE built in.
>
> i knew all that, my concern was passing in a bind parameter to ilike.
>
> i want to do something like:
>
> name = 'Jonathan'
>
> models.User.name.contains( name , case_sensitive=False )
> models.User.name.startswith( name , case_sensitive=False )
> models.User.name.ilike( """%:name%""" ).params( name = name )
>
> I don't want to do:
>
> models.User.name.ilike( """%%%s%%""" % name )
>
> because without an ability to escape 'name' or bind it as a
> placeholder, it becomes a sql injection vulnerability
well in the absence of "icontains()" you can for now do just what contains()
does:
User.name.ilike('%%' + literal(name) + '%%')
though even if you are saying 'ilike("""%%%s%%""" % name)', that string value
is still converted to a bound parameter, so there's no SQL injection here.
>
> - allow `contains` and `startswith` to accept a case_sensitive option
> ( defaults to True, as that is the current behavior )
I'd just do icontains() and istartswith() here, sure.
> - parse strings in ilike for bind params, or give them a params
> keyword ( col.ilike( pattern , params={} ))
parsing strings for bound params is a feature of the text() construct, so
technically that's already available, but is not really needed in this case.
--
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
