Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I would like to use a string that was input by the user in a web form as part of a key name:
user_input = self.request.POST.get('foo')
if user_input:
foo = db.get_or_insert(db.Key('Foo', user_input[:100], parent=my_parent))
Is this safe? Or should I do some inexpensive encoding or hash? If yes, which one?
It’s safe as long as you don’t care about a malicious user filling up your database with junk.
get_or_insertwon’t let them overwrite existing entries, just add new ones.Make sure you limit it’s length (both in the UI and after it’s been recieved), even if you do no other validation on it, so at least they can’t just give you crazy big keys either to fill up the database quickly or to crash your app.
Edit: You just commented that you do, in fact, verify that it’s a reasonable key. In that case, yes, it’s safe.
Keep in mind that the user can probably still figure out what key are already in your database, based on how long it takes you to respond to what they’ve provided, and you still need to make sure they’re authorized to see whatever content they request, or limit them to a small number of requests to they can’t just brute-force retrieve all the information linked to the keys you’re generating.