You don't need to worry about string sanitisation for insertion into
the datastore in App Engine (or, indeed, in most other modern
frameworks), as it supports argument substitution.
That is, you should never construct a GQL (or SQL!) statement by
concatenating strings with user data. Instead, in GQL, you can insert
placeholders for user data of the form :num (eg, :1, :2, etc) or :name
(eg, :foo, :bar etc), and then pass the user data to fill those
placeholders as arguments to the query constructor. The GQL engine
itself never actually substitutes the strings in, so there's no risk
of 'GQL injection' issues or anything else. For example, you can do:
q = db.GqlQuery("SELECT * FROM Greeting WHERE foo = :1 AND bar = :2",
foo, bar)
Or equivalently, using the Query interface:
q = Greeting.all().filter("foo =", foo).filter("bar =", bar)
For more details on both approaches, see
http://code.google.com/appengine/docs/python/datastore/creatinggettinganddeletingdata.html#Getting_Entities_Using_a_Query
You do still have to worry about the separate issue of XSS, etc, but
you've already mentioned that's probably not a problem for you -
unless you expect the author to send you malicious code, which could
force your browser to take priveliged actions they can't take
themselves.
-Nick Johnson
On Apr 15, 9:15 pm, KenCorey <[email protected]> wrote:
> Hi All,
>
> I'm coming from a LAMP-style background where one had to be pretty
> careful about what's allowed near the database.
>
> This is also my first Python code, so it's a learning curve for me.
>
> I've heard that the psycopg Postgres SQL interface handles strange
> HTML sent to it automagically (refer
> to:http://www.modpython.org/pipermail/mod_python/2004-December/016984.html).
>
> I also found a fairly indepth discussion of sanitising
> here:http://stackoverflow.com/questions/16861/sanitising-user-input-using-...
>
> My application simply allows for text inputs. Further, the data you
> enter in the fields is not visible by anyone but you (and me as the
> developer, natch). No HTML, nothing but text. I'm considering using
> the 'sanitizeHtml' function listed in the second article above.
>
> But is it truly necessary? I gather that Gql is not SQL. Does it
> offer the same scope for mischief? Is sanitisation completely
> necessary on AppEngine?
>
> If so, what /in particular/ should I worry about? I mean, I don't
> have to worry about commands being passed to a shell, as shells aren't
> run here. Do I need to worry about SQL injection? What pitfalls
> other than these two do I not know about? XSS seems self-defeating, as
> nobody else other than the author and myself can see malicious code.
>
> Thanks for any input!
>
> -Ken
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en
-~----------~----~----~----~------~----~------~--~---
