So today I identified a small bug in my code and then, while trying to resolve it, came to a few realizations:
1. column.contains(str) does not escape characters in str such as % and _. Presumably, column.startswith(str) and column.endswith(str) have the same behavior. 2. There is a distinct lack of column.icontains(str), though the current implementation means it's identical to column.ilike('%' + str + '%') 3. There is no builtin function (that I found, please correct me if I'm wrong!) for escaping a string being passed to any functions in this family. While I think that column.like and column.ilike should definitely /not/ escape their argument (you know you're trying for a pattern match here, and that you're matching against a pattern), I think that the .contains/.startswith/.endswith family of functions probably should perform this escaping transparently. Between DBAPI 2.0, SQLAlchemy and parameterized querying I don't need to worry about escaping input, so why should I have to pay attention to that detail when using .contains? Also, case insensitive versions of the above would probably be useful. That said, a proper fix might be complicated since it could inadvertently break existing code that relies on the current behavior of .contains() -- Daniel -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at http://groups.google.com/group/sqlalchemy?hl=en. For more options, visit https://groups.google.com/groups/opt_out.