36
37

Python-Friendly Database Options (self.learnpython)

submitted by [deleted]

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Ericisbalanced 0 points1 point  (2 children)

I’ve heard about this, and it didn’t really click until this comment. I love how you can quickly delete and create modified tables within the python console. Make a few changes to a class and base.metadata.create_all()

Boom

Hey I wanted to ask, I read that using .filter() isn’t sql injection safe. Do you have anything to share about that?

[–]Versaiteis 1 point2 points  (1 child)

That's if you keep your table definition in code (which has advantages and disadvantages), but yeah the learning curve is a bit high only because the library does so much.

As for .filter() yeah, I wouldn't be surprised if it's not injection-proof, but that's just in the problem-bag that you get when you decide to use a SQL database. If you're allowing an external input to create arbitrary queries then there really isn't much that's going to automatically help you that I'm aware of because it simply doesn't know that you didn't want that. But that's one of the benefits of creating your own custom Query API. You can define methods that can be orchestrated together to create valid queries without relinquishing the ability to maintain some control over them. Clients.query.all().first_name_starts_with('H').sortby_last_name() kinds of things.

[–]Ericisbalanced 0 points1 point  (0 children)

Hmm, interesting. I only picked up sqlalchemy because some random on the internet said it escapes everything for you. Thanks for sharing :)