Is Session.execute SQL injection safe?

1,440 views
Skip to first unread message

Ryan

unread,
Feb 28, 2011, 5:35:37 PM2/28/11
to sqlal...@googlegroups.com
Can't find anything in the docs as to whether query strings passed into Session.execute are escaped/safe from SQL injection. Any insights? Thanks.

Michael Bayer

unread,
Mar 1, 2011, 12:37:08 AM3/1/11
to sqlal...@googlegroups.com

On Feb 28, 2011, at 5:35 PM, Ryan wrote:

> Can't find anything in the docs as to whether query strings passed into Session.execute are escaped/safe from SQL injection. Any insights? Thanks.

A literal query string is only safe against injection if you ensure that the string contains no portions of user-entered text inside of it. Bind parameters should always be used for literal values. Docs on the text() construct which Session.execute() uses, and the accepted bind parameter format, are here: http://www.sqlalchemy.org/docs/core/expression_api.html#sqlalchemy.sql.expression.text


>
> --
> You received this message because you are subscribed to the Google Groups "sqlalchemy" group.
> To post to this group, send email to sqlal...@googlegroups.com.
> To unsubscribe from this group, send email to sqlalchemy+...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.

Ryan McKillen

unread,
Mar 1, 2011, 2:50:58 AM3/1/11
to sqlal...@googlegroups.com
Great. Thank you.
Reply all
Reply to author
Forward
0 new messages