Hi All, I'm coming from a LAMP-style background where one had to be pretty careful about what's allowed near the database.
This is also my first Python code, so it's a learning curve for me. I've heard that the psycopg Postgres SQL interface handles strange HTML sent to it automagically (refer to: http://www.modpython.org/pipermail/mod_python/2004-December/016984.html). I also found a fairly indepth discussion of sanitising here: http://stackoverflow.com/questions/16861/sanitising-user-input-using-python My application simply allows for text inputs. Further, the data you enter in the fields is not visible by anyone but you (and me as the developer, natch). No HTML, nothing but text. I'm considering using the 'sanitizeHtml' function listed in the second article above. But is it truly necessary? I gather that Gql is not SQL. Does it offer the same scope for mischief? Is sanitisation completely necessary on AppEngine? If so, what /in particular/ should I worry about? I mean, I don't have to worry about commands being passed to a shell, as shells aren't run here. Do I need to worry about SQL injection? What pitfalls other than these two do I not know about? XSS seems self-defeating, as nobody else other than the author and myself can see malicious code. Thanks for any input! -Ken --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appengine@googlegroups.com To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en -~----------~----~----~----~------~----~------~--~---
