I’m using SQLAlchemy with PostgreSQL and I need to generate a statement like
SELECT * FROM entities WHERE name LIKE '%input%';
where the “input” bit of the LIKE string is coming from a user. I would like the user to be able to include literal % and _ characters and have these match exactly, and obviously I need to ensure that the query doesn’t allow SQL injection. What is the idiomatic way to do this in SQLAlchemy? I tried
entities = session.query(Entity).filter(Entity.name.like('%:text%')) \
.params(text=user_input).all()
but this didn’t seem to work—it executed without complaint but did not match rows that should have matched.
Use contains() and autoescape=True:
Entity.name.contains(user_input, autoescape=True)
Given autoescape=True SQLAlchemy will establish an escape character and escape occurrences of "%", "_" and the escape character itself. You can control the escape character explicitly using the escape= parameter.