> On Mar 8, 2019, at 9:06 PM, Mike Bayer wrote:
>
> Datatypes like Integer() when rendering the literal value pass the
> incoming input directly to str() which goes straight to the database...
Thank you so much for the explanation! This is very helpful.
--
SQLAlchemy -
The Python SQL
On Fri, Mar 8, 2019 at 6:09 PM Walter Askew wrote:
>
>
>
> On Mar 8, 2019, at 11:57 AM, Mike Bayer wrote:
>
> this use is insecure and is not supported. SQLAlchemy's bound
> parameter rendering is only intended for debugging and for special DDL
> scenarios and should not be used for
> On Mar 8, 2019, at 11:57 AM, Mike Bayer wrote:
>
> this use is insecure and is not supported. SQLAlchemy's bound
> parameter rendering is only intended for debugging and for special DDL
> scenarios and should not be used for ordinary SQL statements passed to
> a database.
Would you
On Fri, Mar 8, 2019 at 2:00 PM Walt wrote:
>
>
>
> On Friday, March 8, 2019 at 12:19:54 PM UTC-6, Mike Bayer wrote:
>>
>>
>> I've re-read your original request. If I am reading correctly, *you*
>> are generating these values and passing them to an HTTP web service of
>> some kind. In this
My understanding is that this is untrusted data, providing a frontend to a
DB, where the "connection" is actually an HTTP API.
I'd be super cautious here, as there are loads of historic encoding issues
with each database backend. Don't forget newlines and null bytes. If you
can, whitelist a
On Friday, March 8, 2019 at 12:19:54 PM UTC-6, Mike Bayer wrote:
>
>
> I've re-read your original request. If I am reading correctly, *you*
> are generating these values and passing them to an HTTP web service of
> some kind. In this scenario, there is no untrusted input, so there is
> no
On Fri, Mar 8, 2019 at 10:31 AM Walter Askew wrote:
>
>
>
> On Mar 8, 2019, at 5:25 AM, Mike Bayer wrote:
>
>
> SQL injection has to do with strings that are sent to the database
> engine. from what you said above, it seems like you are generating
> strings just to display them on a webpage?
>
> On Mar 8, 2019, at 5:25 AM, Mike Bayer wrote:
>>
> SQL injection has to do with strings that are sent to the database
> engine. from what you said above, it seems like you are generating
> strings just to display them on a webpage?
No, I’m not displaying SQL strings on a webpage. I’m
On Thu, Mar 7, 2019 at 4:47 PM Walt wrote:
>
> For some odd reasons, I'm in a situation where I don't have direct access to
> a database, but I do have an HTTP API fronting the database which I can
> submit SQL strings to and get results back from. I'd like to use SQLAlchemy
> to generate the
> On Mar 7, 2019, at 8:08 PM, Seth P wrote:
>
> Someone wrote a server that blindly executes SQL strings? Oy. Google around
> for why that is a terrible idea.
Oh, I am very familiar with why it’s a terrible idea. Unfortunately, I’m a user
of this service and don’t have much of a choice in
Someone wrote a server that blindly executes SQL strings? Oy. Google around for
why that is a terrible idea.
--
SQLAlchemy -
The Python SQL Toolkit and Object Relational Mapper
http://www.sqlalchemy.org/
To post example code, please provide an MCVE: Minimal, Complete, and Verifiable
For some odd reasons, I'm in a situation where I don't have direct access
to a database, but I do have an HTTP API fronting the database which I can
submit SQL strings to and get results back from. I'd like to use SQLAlchemy
to generate the query strings I send to the HTTP API, but I'm
12 matches
Mail list logo