Comment 10 for bug 918608

For sure this is issue in SQLAlchemy and it has to sanitize limit().
But this is partially issue in Keystone too - this is usually very good idea to sanitize all user's input. Especially in public API.
For example, glance. It supports limit in API. And it works with the same buggy SQLAlchemy. But glance API control user input, so no sqlinjection like in keystone, but rather meaningful error message:
> curl 'localhost:9191/images?limit=1"'
<html>
 <head>
  <title>400 Bad Request</title>
 </head>
 <body>
  <h1>400 Bad Request</h1>
  The server could not comply with the request since it is either malformed or otherwise incorrect.<br /><br />
limit param must be an integer

 </body>
</html>