Menu
What are the best practices for mitigating SQL injection attacks when using SQLAlchemy?
770
Yes, in MOST cases SQLAlchemy will auto-escape, but if you are using literals or raw SQL, you can still shoot yourself in the foot.
The benefits of using an ORM tool include quick generation of an object layer to communicate to a relational database, standardize code templates for these objects, and that they usually provide a set of safe functions to protect against SQL Injection attacks.
Is SQLAlchemy safe to use? The python package SQLAlchemy was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use.
tldr: Avoid raw SQL as much as possible.
The accepted answer is lazy and incorrect. The filter method accepts raw SQL, and if used in that way, is fully susceptible to SQL injection attacks. For instance, if you were to accept a value from a url and combine it with raw sql in the filter, you are open to attack:
session.query(MyClass).filter("foo={}".format(getArgs['val'])) using the above code and the below url, you would be injecting SQL in to your filter statement. The code above would return all rows in your database.
URL encoded:
https://example.com/?val=2%20or%201%20=%201 Easier to understand (URL decoded):
https://example.com/?val=2 or 1 = 1 If you have any "special" characters (such as semicolons or apostrophes) in your data, they will be automatically quoted for you by the SQLEngine object, so you don't have to worry about quoting. This also means that unless you deliberately bypass SQLAlchemy's quoting mechanisms, SQL-injection attacks are basically impossible.
[per http://www.rmunn.com/sqlalchemy-tutorial/tutorial.html]
36
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
