ecm.db

The ecm.db namespace enables direct SQL access to the ECM server’s database via the ado.ExecuteSQL job.

The connecting user requires appropriate database access rights on the server. Data manipulation statements (INSERT, UPDATE, DELETE) must be explicitly enabled via a registry setting on the application server.

Method	Description
select()	Executes a SQL statement and returns the parsed result.

Method

Description

select()

Executes a SQL statement and returns the parsed result.

1. SQL injection protection

To prevent SQL injection, select() provides a parameter mechanism using placeholders. Never embed user input directly into SQL via string formatting:

# Wrong — vulnerable to SQL injection
sql = f"SELECT * FROM benutzer WHERE benutzer = '{username}'"

# Correct — use placeholders
result = ecm.db.select(
    "SELECT * FROM benutzer WHERE benutzer = %s",
    username,
)