Current implementation of .startswith filter does not escape _ and % characters, so they match any character/any character sequence. This is rather unexpected (at least the fact that .startswith("a_b") finds "a/b" was fairly surprising for me) and requires users to manually escape parameters. See http://pastebin.com/qsCjybMz for short script which illustrates current behaviour.
It would be nice to have .startswith which automatically escapes parameter. As in
#1169 I was warned that current default must be kept, and introducing new name is not very aestethic, I would suggest new parameter, for example
(SQLAlchemy escapes string using whatever character is best and safest for given db backend) and
(SQLAlchemy uses given escape character)
Note: I am not sure whether/what should be done in case we .startswith(dbcolumn)
Note 2: startswith docs could really mention (current) escape param, (current) % and _ active behaviour and (implemented here) new param.