On 12/20/05, Kevin <[EMAIL PROTECTED]> wrote:
> # my view
> def view_article(request, article):
> try:
> articles.get_object(name__exact=article)
> except:
> return HttpResponseNotFound()
>
> render_to_response('view_article', {'article': article})
>
> My question is, can I trust that django's ORM won't allow "bad things"
> to happen from the 'article' string received from the urlconf? Or do I
> need to perform some validation on the argument before passing it to
> get_object()?
All the standard Django ORM functions, such as get_object() and
get_list(), automatically quote all parameters within the SQL queries.
So you don't have to worry about SQL injection.
I'm hoping to write up a document about this soon.
Adrian
--
Adrian Holovaty
holovaty.com | djangoproject.com | chicagocrime.org
