问题
Is it necessary to do custom cleaning of form data received from fields where the user is limited to selecting from pre-defined valid choices? For example radio buttons, choicefields, etc.
I have a situation where a database select is performed but the columns used in that select are defined by the user. The user is presented with pre-defined valid choices (radio buttons, choicefields) which represent table columns.
When that form is received do I need to do custom cleaning of that data to once again check that the data is valid? In other words, would it somehow be possible for the user to have POSTed invalid data even though I limited their choices to valid data?
来源:https://stackoverflow.com/questions/38523159/django-sql-injection-protection