Generally the same statement can be built using internal SQLAlchemy...
But if you want to do your own, you can in sqlalchemy while still being as safe:
http://docs.sqlalchemy.org/en/rel_0_5/sqlexpression.html#usi...
But it's possible and people do it. Which is, I believe the point was, the counterpoint to "SQLi should be impossible".
Sure, One can avoid shooting themselves in the foot with an ORM. But that's also true in SQL.
Generally the same statement can be built using internal SQLAlchemy...
But if you want to do your own, you can in sqlalchemy while still being as safe:
http://docs.sqlalchemy.org/en/rel_0_5/sqlexpression.html#usi...