如何在原始查询中将Oracle列安全地绑定到ORDER BY到SQLAlchemy？

Question

I'm trying to execute a raw sql query and safely pass an order by/asc/desc based on user input. This is the back end for a paginated datagrid. I cannot for the life of me figure out how to do this safely. Parameters get converted to strings so Oracle can't execute the query. I can't find any examples of this anywhere on the internet. What is the best way to safely accomplish this? (I am not using the ORM, must be raw sql).

My workaround is just setting ASC/DESC to a variable that I set. This works fine and is safe. However, how do I bind a column name to the ORDER BY? Is that even possible? I can just whitelist a bunch of columns and do something similar as I do with the ASC/DESC. I was just curious if there's a way to bind it. Thanks.

@default.route('/api/barcodes/<sort_by>/<sort_dir>', methods=['GET'])
@json_enc
def fetch_barcodes(sort_by, sort_dir):
    #time.sleep(5)

    # Can't use sort_dir as a parameter, so assign to variable to sanitize it
    ord_dir = "DESC" if sort_dir.lower() == 'desc' else 'ASC'

    records = []
    stmt = text("SELECT bb_request_id,bb_barcode,bs_status, "
        "TO_CHAR(bb_rec_cre_date, 'MM/DD/YYYY') AS bb_rec_cre_date "
        "FROM bars_barcodes,bars_status "
        "WHERE bs_status_id = bb_status_id "
        "ORDER BY :ord_by :ord_dir ")
    stmt = stmt.bindparams(ord_by=sort_by,ord_dir=ord_dir)
    rs = db.session.execute(stmt)
    records = [dict(zip(rs.keys(), row)) for row in rs]

DatabaseError: (cx_Oracle.DatabaseError) ORA-01036: illegal variable name/number [SQL: "SELECT bb_request_id,bb_barcode,bs_status, TO_CHAR(bb_rec_cre_date, 'MM/DD/YYYY') AS bb_rec_cre_date FROM bars_barcodes,bars_status WHERE bs_status_id = bb_status_id ORDER BY :ord_by :ord_dir "] [parameters: {'ord_by': u'bb_rec_cre_date', 'ord_dir': 'ASC'}]

UPDATE Solution based on accepted answer:

def fetch_barcodes(sort_by, sort_dir, page, rows_per_page):
    ord_dir_func = desc if sort_dir.lower() == 'desc' else asc
    query_limit = int(rows_per_page)
    query_offset = (int(page) - 1) * query_limit

    stmt = select([column('bb_request_id'),
                   column('bb_barcode'),
                   column('bs_status'),
                   func.to_char(column('bb_rec_cre_date'), 'MM/DD/YYYY').label('bb_rec_cre_date')]).\
        select_from(table('bars_barcode')).\
        select_from(table('bars_status')).\
        where(column('bs_status_id') == column('bb_status_id')).\
        order_by(ord_dir_func(column(sort_by))).\
        limit(query_limit).offset(query_offset)

    result = db.session.execute(stmt)
    records = [dict(row) for row in result]
    response = json_return()
    response.addRecords(records)
    #response.setTotal(len(records))
    response.setTotal(1001)
    response.setSuccess(True)
    response.addMessage("Records retrieved successfully. Limit: " + str(query_limit) + ", Offset: " + str(query_offset) + " SQL: " + str(stmt))

    return response

Answer 1

You could use Core constructs such as table() and column() for this instead of raw SQL strings. That'd make your life easier in this regard:

from sqlalchemy import select, table, column, asc, desc

ord_dir = desc if sort_dir.lower() == 'desc' else asc

stmt = select([column('bb_request_id'),
               column('bb_barcode'),
               column('bs_status'),
               func.to_char(column('bb_rec_cre_date'),
                            'MM/DD/YYYY').label('bb_rec_cre_date')]).\
    select_from(table('bars_barcodes')).\
    select_from(table('bars_status')).\
    where(column('bs_status_id') == column('bb_status_id')).\
    order_by(ord_dir(column(sort_by)))

table() and column() represent the syntactic part of a full blown Table object with Column s and can be used in this fashion for escaping purposes:

The text handled by column() is assumed to be handled like the name of a database column; if the string contains mixed case, special characters, or matches a known reserved word on the target backend, the column expression will render using the quoting behavior determined by the backend.

Still, whitelisting might not be a bad idea.

Note that you don't need to manually zip() the row proxies in order to produce dictionaries. They act as mappings as is, and if you need dict() for serialization reasons or such, just do dict(row) .