Django's database API does a lot of the worrying for you. It will autoescape the more dangerous aspects of user input when executing SQL. You'd have to be more careful if you were executing raw queries and even then you'd have to be running those queries as literal strings instead of parameterized ModelManager.raw()<http://docs.djangoproject.com/en/dev/topics/db/sql/#topics-db-sql> calls.
In short, if you're using the typical ModelManager methods ie, Model.objects.filter(), Model.objects.get(), etc, and validating your input with Form.is_valid(), you should be pretty well protected against SQL Injection. As for HTML escaping, you'd have to manually mark the string as safe or use the safe filter in your template for it to be rendered as real HTML. If you're trying to render user input as HTML, take a look at django.utils.html<http://code.djangoproject.com/browser/django/trunk/django/utils/html.py>, there are some function in there that will be of interest. Notably django.utils.html.escape(). Hope this better answers your question, Matt On Mon, Feb 22, 2010 at 2:42 PM, Peter Herndon <tphern...@gmail.com> wrote: > On Mon, Feb 22, 2010 at 12:32 PM, Jon Loeliger <j...@jdl.com> wrote: > > > I get is_valid() and the notion of cleaned data. I *think*, > > though, that I am asking for something more robust. > > > > Will some_form.is_valid() will, say, remove (or identify) > > embedded SQL hacking attempts from a plain text field input? > > > > http://www.djangobook.com/en/2.0/chapter20/ > > The part on CSRF is a bit outdated for Django 1.2, which features > improved CSRF protection, but the rest is still on point, to my > knowledge. > > -- > You received this message because you are subscribed to the Google Groups > "Django users" group. > To post to this group, send email to django-us...@googlegroups.com. > To unsubscribe from this group, send email to > django-users+unsubscr...@googlegroups.com<django-users%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/django-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-us...@googlegroups.com. To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
