So today I identified a small bug in my code and then, while trying to
resolve it, came to a few realizations:
1. column.contains(str) does not escape characters in str such as % and _.
Presumably, column.startswith(str) and column.endswith(str) have the same
behavior.
2. There is a distinct lack of column.icontains(str), though the current
implementation means it's identical to column.ilike('%' + str + '%')
3. There is no builtin function (that I found, please correct me if I'm
wrong!) for escaping a string being passed to any functions in this family.
While I think that column.like and column.ilike should definitely /not/
escape their argument (you know you're trying for a pattern match here, and
that you're matching against a pattern), I think that the
.contains/.startswith/.endswith family of functions probably should perform
this escaping transparently. Between DBAPI 2.0, SQLAlchemy and
parameterized querying I don't need to worry about escaping input, so why
should I have to pay attention to that detail when using .contains? Also,
case insensitive versions of the above would probably be useful.
That said, a proper fix might be complicated since it could inadvertently
break existing code that relies on the current behavior of .contains()
-- Daniel
--
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
