Hi,
I'm using web2py for a modest project but can't understand how web2py
protects
against trivial SQL injection attacks. I'm using a postgresql
backend.
I was trying (for legitimate reasons) to store a backslash in a text
field.
It appears that web2py does nothing at all with backslashes and I'm
able to cause lots of tickets to be issued with backslashes in fields.
I can see in the SQL the following badness:
.... VALUES ('\', .....
I tried different settings of postgresql parameter backslash_quote
with
different errors but it still doesn't work. I would presume that it's
pretty
unsafe to assume that database backends will deal nicely with
strings such as '\'
Any thoughts?
Thanks,
David
