SQLAlchemy
Jump to navigation
Jump to search
Schema Support
https://www.oreilly.com/library/view/essential-sqlalchemy/9780596516147/ch01.html
ref: https://stackoverflow.com/questions/9298296/sqlalchemy-support-of-postgres-schemas
meta = MetaData(schema="client1") If the way your app runs is one "client" at a time within the whole application, you're done. But what may be wrong with that here is, every Table from that MetaData is on that schema. If you want one application to support multiple clients simultaneously (usually what "multitenant" means), this would be unwieldy since you'd need to create a copy of the MetaData and dupe out all the mappings for each client. This approach can be done, if you really want to, the way it works is you'd access each client with a particular mapped class like: client1_foo = Client1Foo() and in that case you'd be working with the "entity name" recipe at http://www.sqlalchemy.org/trac/wiki/UsageRecipes/EntityName in conjunction with sometable.tometadata() (see http://docs.sqlalchemy.org/en/latest/core/metadata.html#sqlalchemy.schema.Table.tometadata). So let's say the way it really works is multiple clients within the app, but only one at a time per thread. Well actually, the easiest way to do that in Postgresql would be to set the search path when you start working with a connection: # start request # new session sess = Session() # set the search path sess.execute("SET search_path TO client1") # do stuff with session # close it. if you're using connection pooling, the # search path is still set up there, so you might want to # revert it first sess.close() The final approach would be to override the compiler using the @compiles extension to stick the "schema" name in within statements. This is doable, but would be tricky as there's not a consistent hook for everywhere "Table" is generated. Your best bet is probably setting the search path on each request.
SQL Injection
from sqlalchemy.sql import text
employees = connection.execute( text('select * from Employees where EmployeeGroup == :group'), group = employeeGroup) # or - notice the requirement to quote "Staff" employees = connection.execute( text('select * from Employees where EmployeeGroup == "Staff"'))
Or good old standard parameterized, probably my preference. SQL alchemy is too all over the place many times.
Parameterized variables.
db.execute("INSERT INTO staff (person_id, lastname) VALUES (?, ?)", (51, "Mc'Donald"))
https://www.btelligent.com/en/blog/best-practice-for-sql-statements-in-python/