On Fri, Mar 8, 2019 at 2:00 PM Walt <waltas...@gmail.com> wrote:
>
>
>
> On Friday, March 8, 2019 at 12:19:54 PM UTC-6, Mike Bayer wrote:
>>
>>
>> I've re-read your original request. If I am reading correctly, *you*
>> are generating these values and passing them to an HTTP web service of
>> some kind. In this scenario, there is no untrusted input, so there is
>> no security concern. If OTOH you are receiving values *from* an
>> HTTP web service that is open to untrusted users, then you need to be
>> concerned about security.
>
>
> Maybe the HTTP stuff is obscuring my question. Essentially what I'm asking is
> the difference between
>
> query = sqlalchemy.select(....)
> conn.execute(query)
> vs.
> conn.execute(query.compile(compile_kwargs={"literal_binds": True,
> dialect=dialect_postgresql.dialect()}).string)
>
> particularly in contexts where the query contains literals provided by
> untrusted users.
this use is insecure and is not supported. SQLAlchemy's bound
parameter rendering is only intended for debugging and for special DDL
scenarios and should not be used for ordinary SQL statements passed to
a database.
>
> I'm in the situation where I have to query a database by sending SQL strings
> through an HTTP service rather than by connecting to the database directly,
> and I'm generating SQL strings in contexts where I have to consider untrusted
> user input.
you should sanitize all user input, both untrusted and trusted (since
browsers cannot be trusted), before passing for literal rendering.
>
>
>> It's not about the "type" but the "context". The library is large and
>> supports many dialects and dbapi drivers. Over time, that has meant many
>> things have had to support 'textual arguments' and supplying literal SQL to
>> certain commands. (see
>> https://docs.sqlalchemy.org/en/latest/orm/tutorial.html#orm-tutorial-literal-sql
>> )
>
>
> Thanks - this is helpful!
>
> --
> SQLAlchemy -
> The Python SQL Toolkit and Object Relational Mapper
>
> http://www.sqlalchemy.org/
>
> To post example code, please provide an MCVE: Minimal, Complete, and
> Verifiable Example. See http://stackoverflow.com/help/mcve for a full
> description.
> ---
> You received this message because you are subscribed to the Google Groups
> "sqlalchemy" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sqlalchemy+unsubscr...@googlegroups.com.
> To post to this group, send email to sqlalchemy@googlegroups.com.
> Visit this group at https://groups.google.com/group/sqlalchemy.
> For more options, visit https://groups.google.com/d/optout.
--
SQLAlchemy -
The Python SQL Toolkit and Object Relational Mapper
http://www.sqlalchemy.org/
To post example code, please provide an MCVE: Minimal, Complete, and Verifiable
Example. See http://stackoverflow.com/help/mcve for a full description.
---
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at https://groups.google.com/group/sqlalchemy.
For more options, visit https://groups.google.com/d/optout.
