On 4/3/15 3:10 PM, Jonathan Vanasco wrote:
> I have an include file that generates a handful of timestamp clauses:
>
> def sql_now():
> return sqlalchemy.sql.text("(CURRENT_TIMESTAMP AT TIME ZONE 'UTC')")
>
> def sql_now_minus_10_minutes():
> return sqlalchemy.sql.text("(CURRENT_TIMESTAMP AT TIME ZONE 'UTC' -
> INTERVAL '10 MINUTES')")
>
> One of them needs to be driven by a configuration value :
>
> def sql_now_minus_interval(interval):
> return sqlalchemy.sql.text("(CURRENT_TIMESTAMP AT TIME ZONE 'UTC' -
> INTERVAL '%s')" % lib.constants.RATELIMIT_TIMEOUT_A)
>
>
> Is there anything I can do to protect myself from accidental sql
> injection ? This is all first-party code, so I'm not worried about a
> "little bobby tables" scenario, but am concerned with bad text getting
> named in the constant and breaking a query.
is lib.constants.RATELIMIT_TIMEOUT_A a source of untrusted user input?
If not, then it's OK.
Though in this specific case I would think you could use a bound
parameter just as well (text() supports these via :param and .bindparams()).
--
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at http://groups.google.com/group/sqlalchemy.
For more options, visit https://groups.google.com/d/optout.
