Hello, I'd like to create tables based off user input, but I'm uncertain about the security implications. Most of the raw text data consists of column and table names, which will be restricted and validated to snake_case with no special characters. I assume I'm okay there, but confirmation would be nice. I would also like to include the ability for users to specify expressions for constraints, which is obviously more concerning.
As an example, which I'm not even sure would be correct injection, but should give you an idea: CheckConstraint("id = 0)); DROP TABLE table_meta; COMMIT; --", name= "ck_injectin_test") So in this case the entire expression string in the first argument would be raw user input. I tried running `create` with the above just to see what would happen and psycopg2 raised an exception saying there was a syntax error, which seems consistent with their injection examples but it could just be that I don't know what I'm doing. So long story short, is there a safe way of doing this? Thanks -- SQLAlchemy - The Python SQL Toolkit and Object Relational Mapper http://www.sqlalchemy.org/ To post example code, please provide an MCVE: Minimal, Complete, and Verifiable Example. See http://stackoverflow.com/help/mcve for a full description. --- You received this message because you are subscribed to the Google Groups "sqlalchemy" group. To unsubscribe from this group and stop receiving emails from it, send an email to sqlalchemy+unsubscr...@googlegroups.com. To post to this group, send email to sqlalchemy@googlegroups.com. Visit this group at https://groups.google.com/group/sqlalchemy. For more options, visit https://groups.google.com/d/optout.