I am using Flask, WTForms, and the OurSQL MySQL library for my app. I

Question

0

Asked: May 28, 20262026-05-28T17:26:40+00:00 2026-05-28T17:26:40+00:00

I am using Flask, WTForms, and the OurSQL MySQL library for my app. I

0

I am using Flask, WTForms, and the OurSQL MySQL library for my app. I receive post data from the request.form variable. I put that into a WTForms form object. I call validate() on that form, and then insert the form data into a MySQL database using OurSQL.

Without doing any additional processing, am I safe from SQL injection? Does the WTForms validate method do escaping? If not, what should I do to escape the data? An example of what I am doing looks like this:

form = MyWTFFormsForm(request.form)
if form.validate():
    cursor.execute("INSERT INTO mytable VALUES (?, ?, ?, ?, ?);",
            (form.field1.data, form.field2.data, form.field3.data,
             form.field4.data,
             form.field5.data))

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-28T17:26:41+00:00

Editorial Team

2026-05-28T17:26:41+00:00Added an answer on May 28, 2026 at 5:26 pm

As far as I know, neither WTForms nor Flask escape the data for SQL, but using placeholders like you’re doing there eliminates the need for escaping.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I am using Flask, WTForms, and the OurSQL MySQL library for my app. I

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply