Safe using user input as key_name?

Question

I would like to use a string that was input by the user in a web form as part of a key name:

user_input = self.request.POST.get('foo')
if user_input:
  foo = db.get_or_insert(db.Key('Foo', user_input[:100], parent=my_parent))

Is this safe? Or should I do some inexpensive encoding or hash? If yes, which one?

Answer 1

It's safe as long as you don't care about a malicious user filling up your database with junk. get_or_insert won't let them overwrite existing entries, just add new ones.

Make sure you limit it's length (both in the UI and after it's been recieved), even if you do no other validation on it, so at least they can't just give you crazy big keys either to fill up the database quickly or to crash your app.

Edit: You just commented that you do, in fact, verify that it's a reasonable key. In that case, yes, it's safe.

Keep in mind that the user can probably still figure out what key are already in your database, based on how long it takes you to respond to what they've provided, and you still need to make sure they're authorized to see whatever content they request, or limit them to a small number of requests to they can't just brute-force retrieve all the information linked to the keys you're generating.