I don’t see any form input sanitization in Django’s form code w/r/t handling raw text. How does Django ensure that user input is sanitized when going into the database? Does it do this at all to prevent SQL injection, etc?
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I don’t see any form input sanitization in Django’s form code w/r/t handling raw text. How does Django ensure that user input is sanitized when going into the database? Does it do this at all to prevent SQL injection, etc?
User input is sanitized by the database driver automatically.
Explicit user input sanitization is only ever required when you are trying to assemble a single string that contains both the SQL commands and also the data that you are trying to include; proper use of the Python DBAPI fully separates the commands and the data and you as a programmer should never have to worry about SQL injection as long as you use that functionality properly. And Django uses that functionality by default, so you doubly don’t have to worry about it.
Edit: XSS is a separate issue; see @renab’s comment and also https://docs.djangoproject.com/en/dev/topics/security/#cross-site-scripting-xss-protection