sdk/python/Databases/PySqlalchemy
Databases

PySqlalchemy

SQLAlchemy is the most-used Python ORM. The text() wrapper and raw execute() are SQL injection sinks when the SQL is built from user input. Core and ORM query APIs with bound parameters are safe.

4 sinks
Taint flow0 sources 4 sinks
Sinks — dangerous call
.text()
.Engine.execute()
.Connection.execute()
.Session.execute()

Sinks

.text()Sink
#
Signature
sqlalchemy.text(text: str) -> TextClause

Wraps a raw SQL string. SQL injection sink when text is built from user input without :bindparams.

tracks:0
.Engine.execute()Sink
#
Signature
Engine.execute(statement, *multiparams, **params) -> CursorResult

Executes a statement. Injection sink when statement is a raw string.

tracks:0
.Connection.execute()Sink
#
Signature
Connection.execute(statement, parameters=None, ...) -> CursorResult

Executes a statement. Injection sink when statement is a raw string without text() + bindparams.

tracks:0
.Session.execute()Sink
#
Signature
Session.execute(statement, params=None, ...) -> Result

Executes a statement. Injection sink on raw strings.

tracks:0

Fully-Qualified Names

FQNField
sqlalchemyfqns[0]
sqlalchemy.engine.Enginefqns[1]
sqlalchemy.orm.Sessionfqns[2]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PySqlalchemy
Next →PySqlite3