- changed component to sql
Provide an escape function
Issue #791
resolved
SQLAlchemy uses bound parameters by default so that ordinary SQL injections are not possible anymore. But when using queries like
User.c.username.like('%' + userinput + '%')
there is still a need to escape "userinput" so that no special characters like "%" or "_" cause unwanted matches.
SQLAlchemy should provide a function which the user can call to escape all special characters.
Comments (4)
-
-
repo owner this strikes me much like something that should exist in userland. re some function just sitting out in a module thats just doing re.sub('_', 'XX')...who would find it ? easier to write your own regexp.
however startswith/endswith use case i think is valid, and definitely the ESCAPE clause should be provided.
-
repo owner dupe of
#993? -
repo owner - changed status to resolved
not quite....extra additions in 8d0c5672f06952382b4eedf78158a043b3529878
- Log in to comment
paj:
jek: