special character handling
Joonas Paalasmaa
joonas at olen.to
Thu Nov 1 12:31:48 EST 2001
"Michael P. Soulier" wrote:
>
> Hello.
>
> When I'm coding in PHP, my job is made very easy due to the existence of
> functions that automagickally protect special characters with backslashes,
> translate special html characters to their corresponding html entities, strip
> all but allowed html tags, etc. I've looked in latest Python docs, and the
> Vaults of Parnassus, and I have yet to find such generic, ready-to-use
> functions.
> It's true that I could create some of this using the existing internet and
> markup data handling classes, but the point is that they're not made yet.
> Before I go to the trouble of writing such a library, as I'd rather use Python
> than PHP, does anyone know if someone has beaten me to it?
>
> I'm thinking of such generic functions as
>
> addslashes(), stripslashes(), striphtml(), etc.
>
> If not, anyone here is of course welcome to help me write such a library,
> and I'll ensure that it ends up in tvops
sgmllib module can strip HTML.
See example at
http://mail.python.org/pipermail/python-list/2001-May/041075.html
Builtin repr() function is very useful for some escaping tasks.
Here's an sql example where user_input can contain unsafe data.
>>> user_input = "';\ndrop table usertable; select * from usertable where name like ';"
>>> print "select * from usertable where name like %s" % repr(user_input) #with repr
select * from usertable where name like "';
drop table usertable; select * from usertable where name like '";
>>> print "select * from usertable where name like '%s'" % (user_input) #without repr
select * from usertable where name like '';
drop table usertable; select * from usertable where name like '';
As you can see the repr() function handles all unsafe characters.
>>> print repr(""" '`" """)
' \'`" '
--
Joonas Paalasmaa
More information about the Python-list
mailing list