Menu
Simply put. If i did something like
Conn.execute(RAW_SQL)
would sqlalchemy sanitize this to prevent sql injection or does it literally just execute it? Thanks
937
Yes, in MOST cases SQLAlchemy will auto-escape, but if you are using literals or raw SQL, you can still shoot yourself in the foot.
Import necessary functions from the SQLAlchemy package. Establish connection with the PostgreSQL database using create_engine() function as shown below, create a table called books with columns book_id and book_price. Insert record into the tables using insert() and values() function as shown.
Since SQLAlchemy relies on the DBAPI specification to interact with databases, the most common database management systems available are supported. PostgreSQL, MySQL, Oracle, Microsoft SQL Server, and SQLite are all examples of engines that we can use alongside with SQLAlchemy.
Is SQLAlchemy safe to use? The python package SQLAlchemy was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use.
No, if you pass in raw SQL with values interpolated, SQL Alchemy will not sanitise it. It'll just be executed.
Always use query parameters, at the very least.
A string object is passed straight to the underlying database connection implementation; it does support query parameters but you'll have to use the parameter style specific to the library that handles the database communication.
You can use sqlalchemy.sql.expression.text() to generate SQL with implementation agnostic query parameter syntax.
64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
