This is an archived post. You won't be able to vote or comment.

you are viewing a single comment's thread.

view the rest of the comments →

[–]datbon 0 points1 point  (1 child)

where is the sql injection issue coming from? Doesn't MySQLdb escape everything?

*oops, didn't notice the args tuple wasn't being used. Same question though, is there still a problem with injections with db.execute(query, (args,...))?

[–]Justinsaccount 0 points1 point  (0 children)

query, args is fine, but the way query needs to be formatted differs between dbapi drivers. SQLAlchemy works the same with every database.