Do you control the HTTP API or is this someone else's system? Does the API just execute the raw sql it is provided, and you're looking to generate that? What you want to do is pipe a SqlAlchemy query into a function that can compile it into the right statement for your database. Below is an example of PostgreSQL that worked on SqlAlchemy 1 (probably 1.3. too but I haven't tested):
The security concerns you brought up deal with how/what SqlAlchemy treats as trusted user input or not. Most functions in SqlAlchemy will escape the values by default, very few will not and are documented with a dragon in the database. If you are using values for those items in Sql you need to filter them yourself. Until recently, group_by and order_by were "vulnerable" to the anti-pattern of submitting raw untrusted user input to them. see https://github.com/sqlalchemy/sqlalchemy/issues/4481 For 99.9% of use cases though, you can just compile your sql to the database's dialect and just send it without worry. ----- # pypi import sqlparse from sqlalchemy.dialects import postgresql as dialect_postgresql # ============================================================================== def print_query(q): """ prints a sqlalchemy query """ print("-" * 30) if hasattr(q, 'statement'): print("[q.statement.compile %s]" % type(q)) statement = str(q.statement.compile(dialect=dialect_postgresql.dialect(), compile_kwargs={"literal_binds": True})) elif hasattr(q, 'compile'): print("[q.compile %s]" % type(q)) statement = str(q.compile(dialect=dialect_postgresql.dialect(), compile_kwargs={"literal_binds": True})) else: print("[q %s]" % type(q)) statement = str(q) print(sqlparse.format(statement, reindent=True, keyword_case='upper')) print("-" * 30) -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.
