![]() Or session.query(M圜lass).filter_by(foo=getArgs)Īs then SqlAlchemy can work it's magic and do the escaping with bound parameters. You're meant to always keep the statement and data separate, i.e.: session.query(M圜lass).filter(M圜lass.foo = getArgs) ![]() is broken because you're passing the data to the filter() together with the SQL statement foo=. If you write this: session.query(M圜lass).filter("foo=".format(getArgs)) Note that these methods are only unsafe if string literal is passed. Join - uses model attributes to resolve relation (SAFE)Įxamples of possible method missuses (to keep it simple, string formatting is skipped): db.session.query(User.login).group_by('login').having('count(id) > 4 select name from roles').all()ĭb.session.query(User.login).distinct('name) name from roles /*').order_by('*/').all()ĭb.session.query(User.login).order_by('users_login select name from roles').all()ĭb.session.query(User.login).group_by('login union select name from roles').all() Order_by - uses _literal_as_label_reference (NOT SAFE) Group_by - uses _literal_as_label_reference (NOT SAFE) As of 2.0, SQLAlchemy presents a revised way of working and an all new tutorial that presents Core and ORM in an integrated fashion using all the latest usage patterns. Having - uses _literal_as_text (NOT SAFE)ĭistinct - uses _literal_as_label_reference (NOT SAFE) This page is the previous home of the SQLAlchemy 1.x Tutorial. Here is outcome of ORM Query class method investigation with *criterion argument: filter - uses _literal_as_text (NOT SAFE) In case of filter method *criterion argument ends up passed into _literal_as_text, which in case of string - marks it as safe sql (please correct me if I'm wrong). filter method has *criterion as its argument, several other ORM Query methods have similar argument. I did a little investigation using quiet naive approach.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |