Hi, I'm using web2py for a modest project but can't understand how web2py protects against trivial SQL injection attacks. I'm using a postgresql backend. I was trying (for legitimate reasons) to store a backslash in a text field. It appears that web2py does nothing at all with backslashes and I'm able to cause lots of tickets to be issued with backslashes in fields.
I can see in the SQL the following badness: .... VALUES ('\', ..... I tried different settings of postgresql parameter backslash_quote with different errors but it still doesn't work. I would presume that it's pretty unsafe to assume that database backends will deal nicely with strings such as '\' Any thoughts? Thanks, David