tldr: Avoid raw SQL as much as possible.
The accepted answer is lazy and incorrect. The filter method accepts raw SQL, and if used in that way, is fully susceptible to SQL injection attacks. For instance, if you were to accept a value from a url and combine it with raw sql in the filter, you are open to attack:
session.query(MyClass).filter("foo={}".format(getArgs['val']))
using the above code and the below url, you would be injecting SQL in to your filter statement. The code above would return all rows in your database.
URL encoded:
https://example.com/?val=2%20or%201%20=%201
Easier to understand (URL decoded):
https://example.com/?val=2 or 1 = 1
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
