> Say I create an instance of a mapped class and then attach some values
> to it.
> And want to do session.add.
If you're worried about something like this:
user = User()
user.name = ";DROP TABLE users;"
session.add(user)
then don't be, there is no possibility of SQL injection here,
SQLAlchemy takes care of that. Unless your tests show otherwise, of
course :)
What you shouldn't do though, as Malthe points out, is to manually
construct SQL statements from bits which potentially come from user
input:
name = raw_input("Enter your name")
session.execute(sa.text("INSERT INTO users VALUES ('" + name +
"')"))
- that's where you should use expression api instead.
--
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en.
