Unless you're writing you're own raw SQL, I think the DAL is supposed to protect against SQL injection attacks. And if you're returning code to any views, the template engine should escape it properly before rendering. Have you successfully executed an actual attack?
On Saturday, June 18, 2011 12:35:41 PM UTC-4, weheh wrote: > Not exactly a web2py issue, but related. I'm using the jQuery edit in > place function http://code.google.com/p/jquery-in-place-editor/ along > with a web2py backend. During testing I was able to simulate what I > think is called an injection attack, by placing a <script>alert("hello > world");</script> in the replacement string for the string being > edited. Originally, I was just going to do > > db.mytable[mytable_id]={request.vars.element_id:request.vars.update_value} > but this would have cemented the attack into my db. Instead, I'm > thinking of doing > > db.mytable[mytable_id]={request.vars.element_id:XML(request.vars.update_value,sanitize=True)} > > > > Is this the right way to clean the incoming text of any malicious > attacks? Or is there a better method?
