On Tuesday, March 26, 2019 at 1:46:37 PM UTC-4, Piyush Nalawade wrote: > > Hi Mike, > > In the above example does the text and params help to protect from SQL > injection attacks? >
yes. see https://docs.sqlalchemy.org/en/latest/core/sqlelement.html?#sqlalchemy.sql.expression.text on how the raw text is handled in terms of params, https://docs.sqlalchemy.org/en/latest/core/sqlelement.html?#sqlalchemy.sql.expression.ClauseElement.params passing the values in via `params` invokes the database support for bind parameters, which is what protects you from sql injection in values passed in. -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.