2

I'm accepting a GET query parameter which will be used as piece of a search string.

If I have this:

x = request.args['x']
MyTable.query.filter(MyTable.myCol.ilike(x)).one()

Am I vulnerable to a SQL injection attack?

EDIT - I am using Postgres and SQLAlchemy 1.0 I think.

Tony Ennis
  • 12,000
  • 7
  • 52
  • 73
  • Which version of SQLAlchemy are you using? And with which database? – Mary Marchini Sep 14 '15 at 21:19
  • possible duplicate of [SQLAlchemy + SQL Injection](http://stackoverflow.com/questions/6501583/sqlalchemy-sql-injection) – Mary Marchini Sep 14 '15 at 21:23
  • It is not a duplicate IMO. The accepted answer there might be wrong in that it quotes a non-authoritative source. That question is also not about filter() specifically. – Tony Ennis Sep 14 '15 at 23:08

1 Answers1

3

According to https://stackoverflow.com/a/31949750/3359014,

MyTable.query.filter(MyTable.myCol.ilike(x)).one() is not considered a raw sql and the underlying db-api will escape x.

Community
  • 1
  • 1
Jinsu Oh
  • 33
  • 4