I'm not sure how django has built it sql injection protection, but I would guess that when you fx do model.save() or form.save() that the functions actually making the sql to the db makes sure that there are no injections by making place holders for data ect.
XSS is something I do know how work, however, and is not in effect when data is being saved, but rather when it is being rendered. Django will auto escape all potentially harmful chars like < > ", to prevent anything such attacks. ~Jakob On 23 Mar., 20:31, Bobby Roberts <tchend...@gmail.com> wrote: > > Cleaning data is not in place as a security measure, but rather to > > help you validate the data. That means that you can check the data > > and find out if it fill your requirements. If you have a text field > > and > > want users to type in a serial number, you probably need some > > custom validation like to see if the serial number has the correct > > number of digits/chars ect. Or if they need to type in a phone number > > you probably want to check that as well. Django does some validation > > for you automatically, like checking email fields for @ and dots. > > I thought I read that there was a way to chk data for sql query > injections / cross site scripting etc before insertion.... Is that a > mis-understanding on my part? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
