On Mon, 2009-03-23 at 12:31 -0700, Bobby Roberts wrote: [...] > I thought I read that there was a way to chk data for sql query > injections / cross site scripting etc before insertion....
The whole thing about SQL injections is that there is no way to 100% reliably "check for them". So you don't ever insert user-supplied data into an SQL statement without quoting it. That is what the Python database wrappers all do. Any user-supplied data are passed as parameters, meaning they will be inserted as string literals (or integers or whatever) into the database, not interpreted as SQL. That's got nothing to do with forms. Similarly, cross site scripting isn't something you check for. It's something you prevent by not allowing raw HTML to be inserted by users. That's handled on the output side by, e.g., auto-escaping for HTML, the esapejs filter for Javascript and so on. It's not an input issue, per se. Regards, Malcolm --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
