Simple question, but I just want to be sure of the answer: using Flask-SQLAlchemy, is this safe (where searchstring comes directly from the user?)
results = MyClass.query.filter(MyClass.MyProperty.ilike('%{}%'.format(searchstring)))
Asked
Active
Viewed 4,600 times
4
matthewk
- 1,841
- 17
- 31
1 Answers
1
SQLAlchemy is good but you should avoid raw SQL as much as possible. In your case it does not look that it is prone to SQL Injection but my 2 cents is to avoid raw SQl as much as possible.
Also refer: Is a SQLAlchemy query vulnerable to injection attacks?
Community
- 1
- 1
Rahul Tripathi
- 168,305
- 31
- 280
- 331
-
Thanks. Is there a simple value that I can pass in to searchstring to confirm that? – matthewk Aug 29 '15 at 19:24