I have the following query that uses
like to search a blog. I am not sure if I’m making myself vulnerable to a SQL injection attack if I do this. How is SQLAlchemy handling this? Is it safe?
search_results = Blog.query.with_entities(Blog.blog_title).filter(Blog.blog_title.like("%"+ searchQuery['queryText'] +"%")).all()
The underlying db-api library for whatever database you’re using (sqlite3, psycopg2, etc.) escapes parameters. SQLAlchemy simply passes the statement and parameters to
execute, the driver does whatever is needed. Assuming you are not writing raw SQL that includes parameters yourself, you are not vulnerable to injection. Your example is not vulnerable to injection.