Menu
Should data which comes from the user (like cookie values, variable parts in a route, query args) be treated as insecure and processed in a particular way? Does Flask already sanitize escape input data so passing it to a function test(input_data) is secure?
528
When the Flask application handles a request, it creates a Request object based on the environment it received from the WSGI server. Because a worker (thread, process, or coroutine depending on the server) handles only one request at a time, the request data can be considered global to that worker during that request.
Sanitizing consists of removing any unsafe character from user inputs, and validating will check if the data is in the expected format and type.
In the client-server architecture, the request object contains all the data that is sent from the client to the server. As we have already discussed in the tutorial, we can retrieve the data at the server side using the HTTP methods.
To access the incoming data in Flask, you have to use the request object. The request object holds all incoming data from the request, which includes the mimetype, referrer, IP address, raw data, HTTP method, and headers, among other things.
Flask does nothing to request data besides parsing it from the raw HTTP request. It has no way to know what constraints an arbitrary function has. It's up to you to check any constraints. All data will be strings by default. Don't use eval or exec. Use your database driver's parametrized queries to avoid SQL injection. If you render a template with Jinja it will escape data for use in HTML by default.
129
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
