python - Is a SQLAlchemy query vulnerable to injection attacks?

Question

Welcome To Ask or Share your Answers For Others

python - Is a SQLAlchemy query vulnerable to injection attacks?

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

python - Is a SQLAlchemy query vulnerable to injection attacks?

I have the following query that uses like to search a blog. I am not sure if I'm making myself vulnerable to a SQL injection attack if I do this. How is SQLAlchemy handling this? Is it safe?

search_results = Blog.query.with_entities(Blog.blog_title).filter(Blog.blog_title.like("%"+ searchQuery['queryText'] +"%")).all()

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T19:19:17+0000

The underlying db-api library for whatever database you're using (sqlite3, psycopg2, etc.) escapes parameters. SQLAlchemy simply passes the statement and parameters to execute, the driver does whatever is needed. Assuming you are not writing raw SQL that includes parameters yourself, you are not vulnerable to injection. Your example is not vulnerable to injection.

Categories

python - Is a SQLAlchemy query vulnerable to injection attacks?

python - Is a SQLAlchemy query vulnerable to injection attacks?

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags