[Fixed]-How do Django forms sanitize text input to prevent SQL injection, XSS, etc?


User input is sanitized by the database driver automatically.

Explicit user input sanitization is only ever required when you are trying to assemble a single string that contains both the SQL commands and also the data that you are trying to include; proper use of the Python DBAPI fully separates the commands and the data and you as a programmer should never have to worry about SQL injection as long as you use that functionality properly. And Django uses that functionality by default, so you doubly don’t have to worry about it.

Edit: XSS is a separate issue; see @renab’s comment and also https://docs.djangoproject.com/en/dev/topics/security/#cross-site-scripting-xss-protection

Leave a comment