On Jan 29, 2013, at 7:01 PM, Jonathan Vanasco wrote: > > > On Jan 29, 2:04 pm, Michael Bayer <mike...@zzzcomputing.com> wrote: > >> ilike is available using column.ilike("some string"). You can turn it into >> a "contains" by adding in the appropriate "%" signs manually. If you want >> to do lower() manually, then you can say func.lower(column).contains('some >> string'), though ilike() does the lower() logic when used on a backend that >> doesn't have ILIKE built in. > > i knew all that, my concern was passing in a bind parameter to ilike. > > i want to do something like: > > name = 'Jonathan' > > models.User.name.contains( name , case_sensitive=False ) > models.User.name.startswith( name , case_sensitive=False ) > models.User.name.ilike( """%:name%""" ).params( name = name ) > > I don't want to do: > > models.User.name.ilike( """%%%s%%""" % name ) > > because without an ability to escape 'name' or bind it as a > placeholder, it becomes a sql injection vulnerability
well in the absence of "icontains()" you can for now do just what contains() does: User.name.ilike('%%' + literal(name) + '%%') though even if you are saying 'ilike("""%%%s%%""" % name)', that string value is still converted to a bound parameter, so there's no SQL injection here. > > - allow `contains` and `startswith` to accept a case_sensitive option > ( defaults to True, as that is the current behavior ) I'd just do icontains() and istartswith() here, sure. > - parse strings in ilike for bind params, or give them a params > keyword ( col.ilike( pattern , params={} )) parsing strings for bound params is a feature of the text() construct, so technically that's already available, but is not really needed in this case. -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at http://groups.google.com/group/sqlalchemy?hl=en. For more options, visit https://groups.google.com/groups/opt_out.