you can use text() clauses with bind parameters encoded as
":somename"...and then feed those into connection.execute() along
with a dict of values. check out the "sql construction" docs for
examples.
On Oct 25, 2006, at 3:05 PM, Christoph Zwerschke wrote:
>
> Michael Bayer wrote:
>> you can execute DDL statements as literal text strings straight
>> from an
>> engine or connection. the Session object has a connect() method
>> on it
>> which will also use an underlying engine (if the session is bound to
>> one), or you can pass it a mapper which it can relate to the
>> underlying
>> engine.
>>
>> once you have your connection, you can just execute:
>>
>> connection.execute("alter user foo set password='hoho'")
>
> Thanks; that works very well. Next question ;-) If "foo" and "hoho"
> are
> variable, how can I validate they have no illegal characters and
> escape
> such chars so they cannot do anything evil on the database (the string
> "hoho" must not contain an apostrophe; the string "foo" must not
> contain
> a semicolon etc.)...
>
> -- Chris
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/sqlalchemy
-~----------~----~----~----~------~----~------~--~---
