Bank high security requirements, including basic mysql-injection, and therefore, the recording method using the correlation:
Note: sqlalchemy comes sql-injection, but at the time of execution handwriting execute this sql need to consider security issues
For where in anti sql injection: (in the content must be a tuple type, or not query results)
in_str = tuple(input_list)
sql = "(SELECT count(id) FROM {0} WHERE {0}.id IN :in_str);".format(cls.__tablename__) cursor = db.get_engine(current_app, cls.__bind_key__) return cursor.execute(text(sql), in_str=in_str).fetchone()[0]
For general anti sql injection where:
sql = """ (select {index}.sec_id, from {index}, {main} where {index}.sec_id= {main}.sec_id and {main}.user_id=:user_id); """.format(index=TableA.__tablename__, main=TableB.__tablename__) cursor = db.get_engine(current_app, TableB.__bind_key__) return cursor.execute(text(sql), user_id=user_id).fetchall()
Anti sql injection can be equal to the back-injection number where the inside of the string remains a need for other parts of the splice
Use the remaining keywords refer to the following official website tutorial
Official website tutorial: https://docs.sqlalchemy.org/en/latest/core/tutorial.html#using-textual-sql