Menu
I am using Flask, WTForms, and the OurSQL MySQL library for my app. I receive post data from the request.form variable. I put that into a WTForms form object. I call validate() on that form, and then insert the form data into a MySQL database using OurSQL.
Without doing any additional processing, am I safe from SQL injection? Does the WTForms validate method do escaping? If not, what should I do to escape the data? An example of what I am doing looks like this:
form = MyWTFFormsForm(request.form)
if form.validate():
cursor.execute("INSERT INTO mytable VALUES (?, ?, ?, ?, ?);",
(form.field1.data, form.field2.data, form.field3.data,
form.field4.data,
form.field5.data))
399
As far as I know, neither WTForms nor Flask escape the data for SQL, but using placeholders like you're doing there eliminates the need for escaping.
62
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
