Re: [sqlalchemy] Security Implications of Directly Executing Queries Compiled to Strings

[Walt]

On Friday, March 8, 2019 at 12:19:54 PM UTC-6, Mike Bayer wrote:
>
>
> I've re-read your original request.   If I am reading correctly, *you* 
> are generating these values and passing them to an HTTP web service of 
> some kind.  In this scenario, there is no untrusted input, so there is 
> no security concern.     If OTOH you are receiving values *from* an 
> HTTP web service that is open to untrusted users, then you need to be 
> concerned about security. 
>

Maybe the HTTP stuff is obscuring my question. Essentially what I'm asking 
is the difference between

query = sqlalchemy.select(....)
conn.execute(query)
vs.
conn.execute(query.compile(compile_kwargs={"literal_binds": True, 
dialect=dialect_postgresql.dialect()}).string)

particularly in contexts where the query contains literals provided by 
untrusted users.

I'm in the situation where I have to query a database by sending SQL 
strings through an HTTP service rather than by connecting to the database 
directly, and I'm generating SQL strings in contexts where I have to 
consider untrusted user input.


It's not about the "type" but the "context".  The library is large and 
> supports many dialects and dbapi drivers.  Over time, that has meant many 
> things have had to support 'textual arguments' and supplying literal SQL to 
> certain commands.  (see 
> https://docs.sqlalchemy.org/en/latest/orm/tutorial.html#orm-tutorial-literal-sql
>  
> <https://www.google.com/url?q=https%3A%2F%2Fdocs.sqlalchemy.org%2Fen%2Flatest%2Form%2Ftutorial.html%23orm-tutorial-literal-sql&sa=D&sntz=1&usg=AFQjCNG3Kk7iRf1WJHiR2mQ5ff0PLggRog>
>  ) 


Thanks - this is helpful! 

-- 
SQLAlchemy - 
The Python SQL Toolkit and Object Relational Mapper

http://www.sqlalchemy.org/

To post example code, please provide an MCVE: Minimal, Complete, and Verifiable 
Example.  See  http://stackoverflow.com/help/mcve for a full description.
--- 
You received this message because you are subscribed to the Google Groups 
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at https://groups.google.com/group/sqlalchemy.
For more options, visit https://groups.google.com/d/optout.