Hello,
I'd like to create tables based off user input, but I'm uncertain about the
security implications. Most of the raw text data consists of column and
table names, which will be restricted and validated to snake_case with no
special characters. I assume I'm okay there, but confirmation would be
nice. I would also like to include the ability for users to specify
expressions for constraints, which is obviously more concerning.
As an example, which I'm not even sure would be correct injection, but
should give you an idea:
CheckConstraint("id = 0)); DROP TABLE table_meta; COMMIT; --", name=
"ck_injectin_test")
So in this case the entire expression string in the first argument would be
raw user input. I tried running `create` with the above just to see what
would happen and psycopg2 raised an exception saying there was a syntax
error, which seems consistent with their injection examples but it could
just be that I don't know what I'm doing. So long story short, is there a
safe way of doing this?
Thanks
--
SQLAlchemy -
The Python SQL Toolkit and Object Relational Mapper
http://www.sqlalchemy.org/
To post example code, please provide an MCVE: Minimal, Complete, and Verifiable
Example. See http://stackoverflow.com/help/mcve for a full description.
---
You received this message because you are subscribed to the Google Groups
"sqlalchemy" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sqlalchemy+unsubscr...@googlegroups.com.
To post to this group, send email to sqlalchemy@googlegroups.com.
Visit this group at https://groups.google.com/group/sqlalchemy.
For more options, visit https://groups.google.com/d/optout.
