0

I am trying to find a way to call stored proc with parameters -sp using sqlAlchmey. I found lots of answers non that solved my specific problem. As far as I understand we can always pass parameters to the sqlAlchemy text by first formatting the string using python . But from what I have read, that is unsafe due to sqlinjection attacks . But I am unable to find a reliable way to pas parameters with out exposing it via text. Can some one advice me what to do or where to look for any particular module I overlooked. Or perhaps my understanding is wrong or not enough. I am not sure where to look. Any advice is helpful. Thank you.

One way I tried is like this, which I think is unsafe?

Var1= 'CALL SP('%s');'%somevalfrom somwhere
Var2=sqlalchem.text(var1)
engine execute(var2)
Freddy Mcloughlan
  • 4,129
  • 1
  • 13
  • 29
Grumpyahdu
  • 1
  • 2
  • Please provide enough code so others can better understand or reproduce the problem. – Community May 30 '22 at 11:05
  • There is not much of a code its that solution itself im looking for . So im establishing connection to a postgress db using sqlalchemy and psycopg2 on python . And i want to have python call stored procedures .I can just pass the sql commands for non parameter Stored procs .But for the ones which require params i am trying to find a good way or the right way to pass the parameters to stored proc securely .More like rules or inbuilt functions that allows it . i am using alchmey im using conn.execute and pass txt query .ithinkicannot use cursor since its not supported on create _engine? – Grumpyahdu May 30 '22 at 14:11

0 Answers0