My understanding is that this is untrusted data, providing a frontend to a DB, where the "connection" is actually an HTTP API.
I'd be super cautious here, as there are loads of historic encoding issues with each database backend. Don't forget newlines and null bytes. If you can, whitelist a subset of characters that are definitely safe, limit length, validate numbers are in the form you expect. Don't lean on sqla's escaping because it's not intended for that purpose. You also need to consider HTTP injection. If it's in a URL, you need to escape slashes, question marks, etc. Mark On Fri, 8 Mar 2019, 18:19 Mike Bayer, <[email protected]> wrote: > On Fri, Mar 8, 2019 at 10:31 AM Walter Askew <[email protected]> wrote: > > > > > > > > On Mar 8, 2019, at 5:25 AM, Mike Bayer <[email protected]> wrote: > > > > > > SQL injection has to do with strings that are sent to the database > > engine. from what you said above, it seems like you are generating > > strings just to display them on a webpage? > > > > > > No, I’m not displaying SQL strings on a webpage. I’m asking about the > safety of directly executing SQL strings returned by .compile() calls, in > particular when they contain user-provided values. > > I've re-read your original request. If I am reading correctly, *you* > are generating these values and passing them to an HTTP web service of > some kind. In this scenario, there is no untrusted input, so there is > no security concern. If OTOH you are receiving values *from* an > HTTP web service that is open to untrusted users, then you need to be > concerned about security. > > > > > > that would be the use case > > for literal_binds. you would not pass these strings to a database > > engine unless you sanitized all input from the user. > > > > > > I’m asking for more details about the limitations SQLAlchemy has on > sanitizing user input when compiling strings with literal_binds. The docs > say things like: > > > > SQLAlchemy has limited ability to do this stringification in certain > circumstances such as that of emitting DDL. In order to access this > functionality one can use the literal_binds flag, passed to compile_kwargs: > > > > ... > > > > the above approach has the caveats that it is only supported for basic > types, such as ints and strings, and furthermore if a bindparam() witho > pre-set value is used directly, it won’t be able to stringify that either. > > > > > > and I’m wondering how limited this ability is, what the implications of > using SQLAlchemy to bind literals rather than going through DBAPI like > normal are, and if this is an issue if you only try to bind 'basic types, > such as ints and strings.’ > > > > I tried testing out a few simple SQL injection examples and saw them get > quoted out by SQLAlchemy’s literal binding correctly, and I’m wondering how > safe it is to rely on SQLAlchemy’s literal binding given those warnings in > the documentation. > > > > -- > > SQLAlchemy - > > The Python SQL Toolkit and Object Relational Mapper > > > > http://www.sqlalchemy.org/ > > > > To post example code, please provide an MCVE: Minimal, Complete, and > Verifiable Example. See http://stackoverflow.com/help/mcve for a full > description. > > --- > > You received this message because you are subscribed to the Google > Groups "sqlalchemy" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To post to this group, send email to [email protected]. > > Visit this group at https://groups.google.com/group/sqlalchemy. > > For more options, visit https://groups.google.com/d/optout. > > -- > SQLAlchemy - > The Python SQL Toolkit and Object Relational Mapper > > http://www.sqlalchemy.org/ > > To post example code, please provide an MCVE: Minimal, Complete, and > Verifiable Example. See http://stackoverflow.com/help/mcve for a full > description. > --- > You received this message because you are subscribed to the Google Groups > "sqlalchemy" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/sqlalchemy. > For more options, visit https://groups.google.com/d/optout. > -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.
