On Oct 21, 2011, at 4:02 PM, Firass Asad wrote:
> Good day,
>
> I am having trouble using sqlalchemy with a third-party Sybase 9
> database with read-only permissions. I believe this is based on the
> way (certain versions of) Sybase handle prepared statements[1].
>
>
> Using pyodbc, this works:
> results = cursor.execute("select name from table where name='Bob'")
>
> While this doesn't work:
> results = cursor.execute("select name from table where name = ?",
> ["Bob"])
>
> The error message is the following:
> ASA Error -121: Permission denied: you do not have permission to use
> the "CREATE PROCEDURE" statement (262)
>
>
> So my question is, is there a way I can use sqlalchemy without using
> prepared statements? What are my options?
you'd have very limited usage options here, and certainly the ORM would be out
of the question. You could pretty much only use engine/connection.execute()
with a straight string.
you should inform the partner you're working with that it's a major security
hazard for the database to not accept bound parameter sets. Without them,
all applications are wide open for SQL injection attacks:
http://en.wikipedia.org/wiki/SQL_injection
--
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sqlalchemy?hl=en.
