> On Mar 8, 2019, at 5:25 AM, Mike Bayer <[email protected]> wrote: >> > SQL injection has to do with strings that are sent to the database > engine. from what you said above, it seems like you are generating > strings just to display them on a webpage?
No, I’m not displaying SQL strings on a webpage. I’m asking about the safety of directly executing SQL strings returned by .compile() calls, in particular when they contain user-provided values. > that would be the use case > for literal_binds. you would not pass these strings to a database > engine unless you sanitized all input from the user. I’m asking for more details about the limitations SQLAlchemy has on sanitizing user input when compiling strings with literal_binds. The docs say things like: > SQLAlchemy has limited ability to do this stringification in certain > circumstances such as that of emitting DDL. In order to access this > functionality one can use the literal_binds flag, passed to compile_kwargs: > ... > the above approach has the caveats that it is only supported for basic types, > such as ints and strings, and furthermore if a bindparam() witho pre-set > value is used directly, it won’t be able to stringify that either. and I’m wondering how limited this ability is, what the implications of using SQLAlchemy to bind literals rather than going through DBAPI like normal are, and if this is an issue if you only try to bind 'basic types, such as ints and strings.’ I tried testing out a few simple SQL injection examples and saw them get quoted out by SQLAlchemy’s literal binding correctly, and I’m wondering how safe it is to rely on SQLAlchemy’s literal binding given those warnings in the documentation. -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.
