问题
I don't see any form input sanitization in Django's form code w/r/t handling raw text. How does Django ensure that user input is sanitized when going into the database? Does it do this at all to prevent SQL injection, etc?
回答1:
User input is sanitized by the database driver automatically.
Explicit user input sanitization is only ever required when you are trying to assemble a single string that contains both the SQL commands and also the data that you are trying to include; proper use of the Python DBAPI fully separates the commands and the data and you as a programmer should never have to worry about SQL injection as long as you use that functionality properly. And Django uses that functionality by default, so you doubly don't have to worry about it.
Edit: XSS is a separate issue; see @renab's comment and also https://docs.djangoproject.com/en/dev/topics/security/#cross-site-scripting-xss-protection
来源:https://stackoverflow.com/questions/13574043/how-do-django-forms-sanitize-text-input-to-prevent-sql-injection-xss-etc