If you use the values from request parameters in your query's only use
them as parameters, do not construct a GQL string and use this.
db.GQL('SELECT * FROM MyModel WHERE attr = :1', self.request.get('xxx'))
If you want to show the values later on an HTML page make sure you
replace the characters < > ' & "
from django.utils.html.py
def escape(html):
"Returns the given HTML with ampersands, quotes and carets encoded"
if not isinstance(html, basestring):
html = str(html)
return html.replace('&', '&').replace('<',
'<').replace('>', '>').replace('"', '"').replace("'",
''')
2010/9/28 Martin Webb <[email protected]>:
> Im in final stages of finishing an app
> I was wondering if when i receive params from forms in my handlers -
> querystrings - i need to do anything to them (escape) before i use them in
> my app. ie to eliminate (old fasioned sql injection) i have a base class
> that reads posted params so its easy to add a check to strings that must not
> contain dangerous - code. is this nessacary on app engine?
>
>
> Regards
>
> Martin Webb
>
--
You received this message because you are subscribed to the Google Groups
"Google App Engine" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/google-appengine?hl=en.
