Think about it this way: There's two kinds of strings when you're dealing with SQL: 1) SQL language, 2) your data input. Don't ever include (2) in (1) –– let the API do it.
\malthe On 4 July 2011 21:41, Krishnakant Mane <[email protected]> wrote: > Hello all. > I use Pylons 0.9.7 and sqlalchemy. > I use the Object Relational Mapper with declarative syntax in a few of my > modules. > I was reading chapter 7 of the Pylons book and I understood that sql > injections can be avoided using the expression api. > But can this be also done using ORM? > I tryed on my software and sql injections do work. > Is it possible to avoide it with ORM or will i have to totally avoide using > an ORM layer of sqlalchemy and only use the expression api? > Happy hacking. > Krishnakant. > > -- > You received this message because you are subscribed to the Google Groups > "pylons-discuss" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/pylons-discuss?hl=en. > > -- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sqlalchemy?hl=en.
