On Friday, March 8, 2019 at 11:32:01 AM UTC-6, Jonathan Vanasco wrote: > > Do you control the HTTP API or is this someone else's system? >
It's someone else's. I'm living in a world where folks have generated their SQL with regular old string processing & interpolation in Python because there's no database connection to work with. I'm hoping to replace this with sqlalchemy + .compile()-ing. > Does the API just execute the raw sql it is provided, and you're looking > to generate that? What you want to do is pipe a SqlAlchemy query into a > function that can compile it into the right statement for your database. > Below is an example of PostgreSQL that worked on SqlAlchemy 1 (probably > 1.3. too but I haven't tested): > Yep, just executes it raw. I've got the basic examples working, I just wanted to understand the limitations of using SQLAlchemy vs. DBAPI literal binding, particularly any security implications, before I start advocating for more people in my organization to start using this workflow. > The security concerns you brought up deal with how/what SqlAlchemy treats > as trusted user input or not. Most functions in SqlAlchemy will escape the > values by default, very few will not and are documented with a dragon in > the database. If you are using values for those items in Sql you need to > filter them yourself. > Thanks, so the limitations the documentation is bringing up are more that SQLAlchemy doesn't know how to bind the same variety of types as does the DBAPI? > For 99.9% of use cases though, you can just compile your sql to the > database's dialect and just send it without worry. > Hooray! Thank you for your response! -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.
