On 4/3/15 3:10 PM, Jonathan Vanasco wrote: > I have an include file that generates a handful of timestamp clauses: > > def sql_now(): > return sqlalchemy.sql.text("(CURRENT_TIMESTAMP AT TIME ZONE 'UTC')") > > def sql_now_minus_10_minutes(): > return sqlalchemy.sql.text("(CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - > INTERVAL '10 MINUTES')") > > One of them needs to be driven by a configuration value : > > def sql_now_minus_interval(interval): > return sqlalchemy.sql.text("(CURRENT_TIMESTAMP AT TIME ZONE 'UTC' - > INTERVAL '%s')" % lib.constants.RATELIMIT_TIMEOUT_A) > > > Is there anything I can do to protect myself from accidental sql > injection ? This is all first-party code, so I'm not worried about a > "little bobby tables" scenario, but am concerned with bad text getting > named in the constant and breaking a query.
is lib.constants.RATELIMIT_TIMEOUT_A a source of untrusted user input? If not, then it's OK. Though in this specific case I would think you could use a bound parameter just as well (text() supports these via :param and .bindparams()). -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at http://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.