David Y.
—When using Flask with SQLAlchemy, how can we execute a raw SQL statement?
SQLAlchemy provides powerful object-relational mapping (ORM) that allows one to use data from SQL databases as Python objects. Most common operations can be accomplished without needing to use custom SQL statements, and avoiding custom SQL makes our code more readable and reduces the chances that SQL injection vulnerabilities will be introduced.
However, the ORM may still be insufficient for representing particularly complex SQL queries. For this reason, SQLAlchemy provides a mechanism for executing raw SQL queries: the TextClause
object, created using the text()
function. Instances of this object contain SQL statements and can be passed to the execute()
method in the same way as normal ORM operations. Example code:
from sqlalchemy import text query = text("SELECT name, price FROM products") result = db.engine.execute(query)
It is possible to achieve the same result by providing a raw string as a parameter for execute()
, but the TextClause
object provides some additional functionality, such as parameter binding:
from sqlalchemy import text query = text("SELECT name, price FROM products WHERE category=:product_category") result = db.engine.execute(query, product_category="Fruit")
Parameter binding allows us to reuse the same SQL query with different values and mitigates the risks of SQL injection when working with untrusted data.
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODESConsidered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
Here’s a quick look at how Sentry handles your personal information (PII).
×We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?We may disclose your PII to the following type of recipients:
You may have the following rights related to your PII:
If you have any questions or concerns about your privacy at Sentry, please email us at [email protected].
If you are a California resident, see our Supplemental notice.