Hi Mike, And also to avoid using format, right ?
Thanks and Regards, Piyush Nalawade On Tue, Mar 26, 2019, 11:16 PM Piyush Nalawade <[email protected]> wrote: > Hi Mike, > > In the above example does the text and params help to protect from SQL > injection attacks? > > On Tue, Mar 26, 2019, 11:04 PM Mike Bayer <[email protected]> > wrote: > >> this would suggest your Engine is not accessing the same database, or >> does not have the same permissions, as that of your PG admin session. >> >> also I would strongly advise against directly substituting variables >> into literals in SQL strings using format() as this is the source of >> SQL injection attacks. Please use a bound parameter, e.g.: >> >> execute(text("select * from table where foo = :bar").params(bar='some >> bar')) >> >> >> >> On Tue, Mar 26, 2019 at 12:19 PM Scheck David <[email protected]> wrote: >> > >> > Hi, >> > >> > I've a simple query as this : >> > >> > def count_references(self, uri): >> > sql = 'SELECT count(*) FROM (SELECT image.id, >> json_array_elements(image.uri_reference)::text as uri_ref FROM image) ss >> WHERE ss.uri_ref = \'\"{0}\"\''.format(uri) >> > result = self.session.execute(text(sql)) >> > >> > I tested It on pgadmin and all works very good. and SQLAlchemy is >> throwing an error as : >> > >> > sqlalchemy.exc.ProgrammingError: (psycopg2.ProgrammingError) relation >> "image" does not exist >> > >> > LINE 1: ...ements(image.uri_reference)::text as uri_ref FROM image) ss >> ... >> > >> > -- >> > SQLAlchemy - >> > The Python SQL Toolkit and Object Relational Mapper >> > >> > http://www.sqlalchemy.org/ >> > >> > To post example code, please provide an MCVE: Minimal, Complete, and >> Verifiable Example. See http://stackoverflow.com/help/mcve for a full >> description. >> > --- >> > You received this message because you are subscribed to the Google >> Groups "sqlalchemy" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To post to this group, send email to [email protected]. >> > Visit this group at https://groups.google.com/group/sqlalchemy. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> SQLAlchemy - >> The Python SQL Toolkit and Object Relational Mapper >> >> http://www.sqlalchemy.org/ >> >> To post example code, please provide an MCVE: Minimal, Complete, and >> Verifiable Example. See http://stackoverflow.com/help/mcve for a full >> description. >> --- >> You received this message because you are subscribed to the Google Groups >> "sqlalchemy" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/sqlalchemy. >> For more options, visit https://groups.google.com/d/optout. >> > -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.
