On Oct 16, 5:25 pm, Steven D'Aprano <steve
+comp.lang.pyt...@pearwood.info> wrote:
> How do you sanitize user input?
Thanks for your concern. This is what I now have, which merely expands
each value into its usable type (unquotes them):
# filter each value
try:
var=int(var)
except ValueError:
if var in ('False', 'True'):
var=eval(var) # extract booleans
else:
var=cgi.escape(var)
This is really no filtering at all, since all CGI variables are
written to a dictionary without checking. However, if there is no
receiver for the value I should be safe, right?
I am also trapping some input at mod_wsgi, like php query strings. And
that IP address gets quarantined. If you can suggest what attack words
to block I'll thank you for it.
I also have a system to reject variables that are not in a list, but
waiting to see what the logfiles show before deploying it.
-- Gnarlie
http://Gnarlodious.com
--
http://mail.python.org/mailman/listinfo/python-list
