Re: [web2py] Re: how to escape data from request.post_vars to prevent SQLi

Tue, 28 Aug 2012 06:18:10 -0700 

If the user input must fit very specific criteria, then you can use a 
validator, such as IS_MATCH or IS_EXPR to validate it before using it to 
construct your query. For more general inputs, you should probably not 
attempt to escape the input yourself, as it is difficult to get right. 
Instead, you should use parametrized queries and let the database handle 
the escaping. The db.executesql() method takes a "parameters" argument, 
which can be a list, tuple, or dictionary of positional or named parameters 
to be filled in the query. The exact format may depend on the database and 
driver, so consult the relevant documentation. There's a section on 
parametrized queries in SQLite in this tutorial: 
http://zetcode.com/db/sqlitepythontutorial/. For more on SQL injection and 
prevention in general, see 
http://www.slideshare.net/openpbs/sql-injection-defense-in-python. 

Anthony

On Tuesday, August 28, 2012 6:30:14 AM UTC-4, Cliff Kachinske wrote:
>
> From the manual:
>
> A field also has methods. Some of them are used to build queries and we 
> will seem them later. A special method of the field object is validate and 
> it calls the validators for the field.
>
> print db.person.name.validate('John')
> which returns a tuple (value, error). error is None if the input passes 
> validation.
>
> Go to this link http://web2py.com/books/default/chapter/29/6#Migrations and 
> scroll up one paragraph.
>
> Then look at this http://web2py.com/books/default/chapter/29/7#Validators for 
> details about the validators.  There are lots.
>
> On Monday, August 27, 2012 5:20:24 PM UTC-4, Andrew Evans wrote:
>>
>> yes I have a peculiar SQL query that is using ACOS(), COS() etc for 
>> geolocation. I would love to use DAL but it is for a mobile device :D
>>
>> *cheers
>>
>>
>>
>>
>> On Mon, Aug 27, 2012 at 2:11 PM, Anthony <[email protected]> wrote:
>>
>>> Is there a reason you can't use the DAL to do the insert?
>>>
>>>
>>> On Monday, August 27, 2012 4:32:09 PM UTC-4, Andrew Evans wrote:
>>>>
>>>> How can I escape the data submitted by my form to prevent SQL 
>>>> Injection. I read using request.post_vars does not escape the data, I am 
>>>> using a form built in HTML and submitting the data passing 
>>>> request.post_vars as variables to my SQL Query.
>>>>
>>>> Any ideas
>>>>
>>>> *cheers
>>>>
>>>>
>>>>  -- 
>>>  
>>>  
>>>  
>>>
>>
>>

--

Reply via email to