SJP
Reputation: 1372
Does SQLAlchemy sanitize raw SQL?
Simply put. If i did something like
Conn.execute(RAW_SQL)
would sqlalchemy sanitize this to prevent sql injection or does it literally just execute it? Thanks
Upvotes: 10
Views: 9697
Answers (1)
Martijn Pieters
Reputation: 1121834
No, if you pass in raw SQL with values interpolated, SQL Alchemy will not sanitise it. It'll just be executed.
Always use query parameters, at the very least.
A string object is passed straight to the underlying database connection implementation; it does support query parameters but you'll have to use the parameter style specific to the library that handles the database communication.
You can use sqlalchemy.sql.expression.text() to generate SQL with implementation agnostic query parameter syntax.
Upvotes: 12
Related Questions
- sqlalchemy protection against sql injections- using engine.execute() api
- Sanitizing user-provided SQL with Python?
- SQLAlchemy + SQL Injection
- Is the SQLAlchemy text function exposed to SQL Injection?
- SQL Injection Prevention in Python - is using parameterized query enough?
- Python SQL Injection safe
- Filter SQL statement against malicious injection in Python
- Is SQL injection protection built into SQLAlchemy's ORM or Core?
- sqlalchemy filters and sql injection
- Is a SQLAlchemy query vulnerable to injection attacks?