SQLAlchemy + SQL Injection

python security sqlalchemy

What are the best practices for mitigating SQL injection attacks when using SQLAlchemy?


Solution 1:

tldr: Avoid raw SQL as much as possible.

The accepted answer is lazy and incorrect. The filter method accepts raw SQL, and if used in that way, is fully susceptible to SQL injection attacks. For instance, if you were to accept a value from a url and combine it with raw sql in the filter, you are open to attack:

session.query(MyClass).filter("foo={}".format(getArgs['val']))

using the above code and the below url, you would be injecting SQL in to your filter statement. The code above would return all rows in your database.

URL encoded:

https://example.com/?val=2%20or%201%20=%201

Easier to understand (URL decoded):

https://example.com/?val=2 or 1 = 1

Solution 2:

If you have any "special" characters (such as semicolons or apostrophes) in your data, they will be automatically quoted for you by the SQLEngine object, so you don't have to worry about quoting. This also means that unless you deliberately bypass SQLAlchemy's quoting mechanisms, SQL-injection attacks are basically impossible.

[per http://www.rmunn.com/sqlalchemy-tutorial/tutorial.html]

Related

Inner Joining three tables
Cannot deserialize instance of object out of START_ARRAY token in Spring Webservice
Android 5.0 android:elevation Works for View, but not Button?
How can I prevent my dwarfs from moving the barrel full of drink mats?
Why fps is 30 in full screen mode in Overwatch
Ocelot not being tamed? [duplicate]
What does the green halo around Wizarding Challenges means?
How to make this unbreakable - Minecraft 1.14.2 replaceitem Command [duplicate]
Tekkit pipes getting clogged
Any unique interactions, with an Altmer Dragonborn?
What do we call the voice prompt we hear after a kill?
How can I make an unsupported inclined rail?