Regarding attack,
I'm doing read-only application using read-only account, so insert/
updates are forbidden to users, as well as I'm not passing "blindly"
such query. As I said only where clause is exposed to the user not
query itself. And such where clause in my hand before I'm passing it
to
underneath query, so whereclause validation is in place.
Thanks for reference.
Valentin.
On Apr 19, 1:20 pm, Michael Bayer <[EMAIL PROTECTED]> wrote:
> On Apr 19, 2007, at 12:37 PM, vkuznet wrote:
>
>
>
> > Hi,
> > I'm developing a web application where users are allowed to specify
> > where statement. So I can capture it as a string, e.g.
> > ( T1.C1=1 OR T1.C1=5) AND T3.C3 like 'test%'
>
> > where T1 is table 1 and C1 is column 1, and so on. Now the hard
> > question is how to add such string to sqlalchemy query? I've look at a
> > code and one possible way I see is to created a TextClause with binded
> > parameters. But even if I can, the hard part would be to preserve
> > brackets and AND/OR between different conditions.
>
> wouldnt they be typing the brackets? those can be in the text()
> clause too. but just FYI, this database will be 1000% wide open for
> SQL injection attacks. i would even call it an "injection", just an
> "anyone can type anything" attack... :)
>
> > So, it should be a
> > way to substitue Table.Column with sqlalchemy.Column (which I can do),
> > and rvalues with binded names, and create a dict of binded parameters,
> > and just pass a string like
>
> > ( T1.C1 = :param1 OR T1.C1 = :param2 ) AND T3.C3 like :param3
> > {'param1':1, 'param2':5,'param3':'test%'}
>
> > to given query
>
> > Is there any way to address this issue. I'll be glad if someone will
> > give me some guidelines.
>
> if I were building this application, id parse the string into an
> expression tree and have the tree generate a ClauseElement from
> that. looks likehttp://pyparsing.wikispaces.com/even includes a
> SQL parsing example, so there you go.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en
-~----------~----~----~----~------~----~------~--~---
