Provide an escape function

Issue #791 resolved
Former user created an issue

SQLAlchemy uses bound parameters by default so that ordinary SQL injections are not possible anymore. But when using queries like

User.c.username.like('%' + userinput + '%')

there is still a need to escape "userinput" so that no special characters like "%" or "_" cause unwanted matches.

SQLAlchemy should provide a function which the user can call to escape all special characters.

Comments (4)

  1. jek
    • changed component to sql

    paj:

    I'm also thinking that startswith, endswith and contains should probably do the escaping by default.

    jek:

    Also extend the LIKE operator to take the ESCAPE clause (LIKE 'expr' ESCAPE '\')

  2. Mike Bayer repo owner

    this strikes me much like something that should exist in userland. re some function just sitting out in a module thats just doing re.sub('_', 'XX')...who would find it ? easier to write your own regexp.

    however startswith/endswith use case i think is valid, and definitely the ESCAPE clause should be provided.

  3. Log in to comment