modifying html input date for mysql, reg ex or string interpolation?
John J. Lee
jjl at pobox.com
Tue Apr 11 19:17:22 EDT 2006
Kun <neurogasm at gmail.com> writes:
[...]
> for x in form.keys():
> print "%s=%s" % (x, form[x].value) + "<br>"
[...]
...and the second thing that jumps out at me is that you're neglecting
to HTML-quote the data you're inserting into your web page here (for
example, using xml.sax.saxutils.escape()), which is another common
cause of security holes, very similar to those with failing to use
proper SQL parameter quoting.
Google for "cross-site scripting".
John
More information about the Python-list
mailing list