16

I don't see any form input sanitization in Django's form code w/r/t handling raw text. How does Django ensure that user input is sanitized when going into the database? Does it do this at all to prevent SQL injection, etc?

Madbreaks
  • 19,094
  • 7
  • 58
  • 72
Carson
  • 17,073
  • 19
  • 66
  • 87
  • 1
    If you are worried about html/scripts in your inputs, this question has the answers in it already... if you are just worried about sql injection, see @Andrew Gorcester's answer below http://stackoverflow.com/questions/5641901/django-sanitize-form-data – renab Nov 26 '12 at 22:17
  • 1
    we were just discussing something similar at this question: http://stackoverflow.com/questions/13525399/django-safely-validating-untrusted-html-input/13539906#13539906 -- the answer being `bleach`. – Williams Nov 27 '12 at 02:59

1 Answers1

27

User input is sanitized by the database driver automatically.

Explicit user input sanitization is only ever required when you are trying to assemble a single string that contains both the SQL commands and also the data that you are trying to include; proper use of the Python DBAPI fully separates the commands and the data and you as a programmer should never have to worry about SQL injection as long as you use that functionality properly. And Django uses that functionality by default, so you doubly don't have to worry about it.

Edit: XSS is a separate issue; see @renab's comment and also https://docs.djangoproject.com/en/dev/topics/security/#cross-site-scripting-xss-protection

Andrew Gorcester
  • 19,595
  • 7
  • 57
  • 73
  • 2
    But how to handle GET request data? For example, the value attribute of an input element outputs the user's search query resulting in reflected XSS. – Jarad Feb 15 '21 at 20:11