Do not use text() as it leads to SQL injection このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください 。
このルールを試す ID: python-flask/disable-sqlalchemy-text
Language: Python
Severity: Warning
Category: Security
CWE : 89
Description The text
function from SQLAlchemy lets you build custom SQL statements. It is recommended to use the ORM functions to build queries and avoid building custom queries, which are vulnerable to SQL injections.
Learn More Non-Compliant Code Examples from sqlalchemy.sql import text
con = engine . connect ()
data = ( { "id" : 1 , "title" : "The Hobbit" , "primary_author" : "Tolkien" },
{ "id" : 2 , "title" : "The Silmarillion" , "primary_author" : "Tolkien" },
)
statement = text ( """INSERT INTO book(id, title, primary_author) VALUES(:id, :title, :primary_author)""" )
for line in data :
con . execute ( statement , ** line )
Compliant Code Examples con = engine . connect ()
data = ( { "id" : 1 , "title" : "The Hobbit" , "primary_author" : "Tolkien" },
{ "id" : 2 , "title" : "The Silmarillion" , "primary_author" : "Tolkien" },
)
statement = text ( """INSERT INTO book(id, title, primary_author) VALUES(:id, :title, :primary_author)""" )
for line in data :
con . execute ( statement , ** line )
from sqlalchemy import text
BOOKS = meta . tables [ 'books' ]
query = sqlalchemy . select ( BOOKS ) . where ( BOOKS . c . genre == 'fiction' )
result = engine . execute ( query ) . fetchall ()
Seamless integrations. Try Datadog Code Analysis