On Apr 19, 2007, at 12:37 PM, vkuznet wrote:
>
> Hi,
> I'm developing a web application where users are allowed to specify
> where statement. So I can capture it as a string, e.g.
> ( T1.C1=1 OR T1.C1=5) AND T3.C3 like 'test%'
>
> where T1 is table 1 and C1 is column 1, and so on. Now the hard
> question is how to add such string to sqlalchemy query? I've look at a
> code and one possible way I see is to created a TextClause with binded
> parameters. But even if I can, the hard part would be to preserve
> brackets and AND/OR between different conditions.
wouldnt they be typing the brackets? those can be in the text()
clause too. but just FYI, this database will be 1000% wide open for
SQL injection attacks. i would even call it an "injection", just an
"anyone can type anything" attack... :)
> So, it should be a
> way to substitue Table.Column with sqlalchemy.Column (which I can do),
> and rvalues with binded names, and create a dict of binded parameters,
> and just pass a string like
>
> ( T1.C1 = :param1 OR T1.C1 = :param2 ) AND T3.C3 like :param3
> {'param1':1, 'param2':5,'param3':'test%'}
>
> to given query
>
> Is there any way to address this issue. I'll be glad if someone will
> give me some guidelines.
if I were building this application, id parse the string into an
expression tree and have the tree generate a ClauseElement from
that. looks like http://pyparsing.wikispaces.com/ even includes a
SQL parsing example, so there you go.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en
-~----------~----~----~----~------~----~------~--~---
