[mod_python] How to sanitize input?

Adrian Holovaty modpython at holovaty.com
Mon Dec 13 18:15:53 EST 2004 

Kevin White wrote:
> Before I take form data and start putting it into an sql statement for
> updating/inserting to a database, I assume I will need to clean it up.
> That is, in PHP, I used to addslashes() to each field before inserting
> to the database, in case it has characters that would mess up the sql.
>
> How do I sanitize my input in python?

Hey Kevin,

Kiss addslashes() goodbye. In Python, it's handled for you automatically, by 
the database module you're using (e.g. psycopg for PostgreSQL), in the 
cursor.execute() method:

baz = '"blah\'s quotes"'
cursor = db.cursor()
cursor.execute("SELECT foo FROM bar WHERE baz=%s", [baz])

Check out the Python-DBI PEP for full information on this:

http://www.python.org/peps/pep-0249.html

Adrian

More information about the Mod_python mailing list